VDB
EN
HIGH 7.7

GHSA-gc3j-79f2-7vvw

Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance

상세

### Summary

A low-privilege developer who could create a `KubernetesWatchTrigger` (KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace.

### Details

Two independent flaws compounded:

1. `pkg/kubewatcher/kubewatcher.go::createKubernetesWatch` used `w.Spec.Namespace` (user-controlled) directly as the Watch target without checking it against `w.Namespace` (the KWT's own namespace). `kubewatcher` established the Watch using its cluster-scoped service account and serialized every Pod/Service/Job change event as full JSON over HTTP POST to the attacker's function. 2. The validating webhook (`pkg/webhook/kuberneteswatchtrigger.go`) registered `verbs=create` only, so `update`/`patch` requests bypassed validation entirely.

A separate leak: an empty `spec.namespace` resolved to **all namespaces** via the controller's default, letting an attacker omit the field to surveil the entire cluster.

### Impact

A tenant with `kuberneteswatchtriggers.fission.io/create` could continuously receive full event payloads for Pods, Services, and Jobs in any namespace — a persistent cross-tenant surveillance channel requiring no additional privileges.

### Fix

Fixed in [#3379](https://github.com/fission/fission/pull/3379) and released in [v1.24.0](https://github.com/fission/fission/releases/tag/v1.24.0).

- The validating webhook marker is extended to `verbs=create;update`. - `Validate` rejects `KubernetesWatchTrigger.spec.namespace != metadata.namespace`. - A controller guard in `createKubernetesWatch` rejects cross-namespace targets that bypass admission and coerces an empty `Spec.Namespace` to the trigger's own namespace.

### Behavioural change

KubernetesWatchTriggers with an unset `spec.namespace` now watch only their own namespace instead of all namespaces. Anyone relying on the previous all-namespaces behaviour must create a separate KWT per namespace.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Go / github.com/fission/fission
최초 영향 버전: 0 수정 버전: 1.24.0
수정 go get github.com/fission/fission@v1.24.0

참고