Cyber Resilience

CVE-2023-44392

High

Published: 09 October 2023

Published
09 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0733 91.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-44392 is a high-severity Code Injection (CWE-94) vulnerability in Garden Garden. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Garden is an automation tool for Kubernetes development and testing that depends on the cryo library for object serialization. Prior to versions 0.13.17 and 0.12.65, Garden cached test and run results by storing cryo-serialized objects inside Kubernetes ConfigMaps whose names are prefixed with test-result or run-result; these resources reside in either the garden-system namespace or a user-specified namespace. The vulnerability stems from cryo’s insecure deserialization implementation, which permits code injection and is tracked under CWE-94 and CWE-502.

An attacker who already possesses access to the target Kubernetes cluster can place malicious serialized objects into the relevant ConfigMaps. When a legitimate user later executes the garden test or garden run command against a previously cached result, Garden retrieves and deserializes the object, triggering remote code execution on the user’s workstation. Exploitation therefore requires both cluster-level write access to the ConfigMaps and an active user invocation of one of the two affected commands.

The GitHub Security Advisory GHSA-hm75-6vc9-8rpr and the associated commits confirm that the flaw is resolved in Garden 0.13.17 (Bonsai) and 0.12.65 (Acorn); no workarounds are documented. The EPSS score remains flat at 0.0733 with no material increase after disclosure.

EU & UK References

Vulnerability details

Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using…

more

cryo in the Kubernetes `ConfigMap` resources prefixed with `test-result` and `run-result` to cache Garden test and run results. These `ConfigMaps` are stored either in the `garden-system` namespace or the configured user namespace. When a user invokes the command `garden test` or `garden run` objects stored in the `ConfigMap` are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the `ConfigMap`, which can trigger a remote code execution on the users machine when cryo deserializes the object. In order to exploit this vulnerability, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a `garden test` or `garden run` which has previously cached results. The issue has been patched in Garden versions `0.13.17` (Bonsai) and `0.12.65` (Acorn). Only Garden versions prior to these are vulnerable. No known workarounds are available.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

garden
garden
≤ 0.12.65 · 0.13.0 — 0.13.17

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502 CWE-94

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-94 CWE-502

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

References