Coordinated Disclosure Timeline
- 2024-09-10: Reported through GitHub Private Vulnerability Reporting (PVR).
- 2024-09-24: Fixed in PR#10935.
Summary
The k3s repository is vulnerable to Poisoned Pipeline Execution (PPE). An attacker can gain pull_requests: write permission by sending a Pull Request and adding a comment to it.
Project
k3s
Tested Version
Latest commit at the time of reporting.
Details
Execution of untrusted code in trivy.yaml workflow (GHSL-2024-207)
The trivy.yaml workflow gets triggered when a Pull Request is commented with /trivy:
on:
issue_comment:
types: [created]
The workflow checkouts the Pull Request and, therefore, attacker-controlled code:
- name: Checkout PR code
uses: actions/checkout@v4
with:
ref: refs/pull/${{ github.event.issue.number }}/head
And calls make:
- name: Build K3s Image
run: |
make local
make package-image
make tag-image-latest
An attacker craft a Pull Request where they modify Makefile and add malicious code to the local target. Then, by adding the /trivy comment on the Pull Request, the workflow will get executed and the attacker will gain write permissions to the repo.
Impact
This issue may lead to the injection of malicious code into the repository.
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-207 in any communication regarding this issue.