Описание
Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime
Impact
OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data.
Patches
For users who're using version < 0.9.3 with JuicefsRuntime, upgrade to v0.9.3.
References
Are there any links users can visit to find out more?
Credits
Special thanks to the discovers of this issue:
Xiaozheng Zhang xiaozheng_zhang@outlook.com
Ссылки
- https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-wx8q-4gm9-rj2g
- https://nvd.nist.gov/vuln/detail/CVE-2023-51699
- https://github.com/fluid-cloudnative/fluid/commit/02b7cd8b79a26092df95d625664994bda485c722
- https://github.com/fluid-cloudnative/fluid/commit/e0184cff8790ad000c3e8943392c7f544fad7d66
Пакеты
github.com/fluid-cloudnative/fluid
< 0.9.3
0.9.3
Связанные уязвимости
Fluid is an open source Kubernetes-native Distributed Dataset Orchestrator and Accelerator for data-intensive applications. An OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data. Users who're using versions < 0.9.3 with JuicefsRuntime should upgrade to v0.9.3.
Уязвимость среды управления JuiceFSRuntime оркестратора распределенных наборов данных и ускорителя с открытым исходным кодом Kubernetes для приложений с интенсивным использованием данных Fluid, позволяющая нарушителю выполнить произвольные команды