प्लेटफ़ॉर्म
go
घटक
github.com/tektoncd/pipeline
में ठीक किया गया
1.0.1
1.1.1
1.4.1
1.7.1
1.10.1
1.0.1
1.0.1
1.0.1
1.0.1
1.0.1
CVE-2026-33211 is a critical Path Traversal vulnerability discovered in the Tekton Pipelines git resolver. This flaw allows authorized tenants to read arbitrary files from the resolver pod's filesystem, potentially exposing sensitive data like ServiceAccount tokens. The vulnerability impacts versions prior to 1.0.1 and has been addressed with a patch.
The primary impact of CVE-2026-33211 is the unauthorized access to sensitive files within the Tekton Pipelines resolver pod. An attacker with the ability to create ResolutionRequests can exploit this vulnerability to read arbitrary files, including ServiceAccount tokens. Compromising these tokens grants the attacker elevated privileges within the Kubernetes cluster, enabling lateral movement and potentially complete control over the affected environment. The base64-encoded file contents being returned in resolutionrequest.status.data simplifies exfiltration. This vulnerability shares similarities with other path traversal exploits where attackers leverage predictable file system structures to access restricted resources.
CVE-2026-33211 was publicly disclosed on 2026-03-18. The vulnerability's severity is rated as CRITICAL (CVSS 9.6). No public proof-of-concept (POC) code has been publicly released as of this writing, but the ease of exploitation makes it a high-priority concern. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Tekton Pipelines for CI/CD workflows, particularly those with complex permission structures granting tenants the ability to create ResolutionRequests, are at risk. Shared Kubernetes clusters where multiple teams or projects share resources are also particularly vulnerable, as a compromised tenant could potentially impact other workloads.
• linux / server:
journalctl -u tekton-git-resolver -g 'pathInRepo' | grep -i 'file content'• linux / server:
ps aux | grep -i 'github.com/tektoncd/pipeline/pkg/resolution/resolver/git/repository.go'• generic web:
curl -I 'http://<tekton-resolver-url>/resolutionrequest?pathInRepo=/../../../../etc/passwd' # Check for 200 OK response indicating file accessdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (7% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-33211 is to upgrade Tekton Pipelines to version 1.0.1 or later, which includes the fix for this vulnerability. If immediate upgrade is not feasible, restrict the permissions of tenants who can create ResolutionRequests to minimize the potential attack surface. Implement network policies to limit access to the resolver pod. Consider using a Web Application Firewall (WAF) to filter requests containing potentially malicious path traversal attempts, although this is not a complete solution. After upgrading, verify the fix by attempting to access a non-existent file via the pathInRepo parameter and confirming that access is denied.
टेक्टन पाइपलाइन्स को संस्करण 1.0.1, 1.3.3, 1.6.1, 1.9.2 या 1.10.2 या उच्चतर में अपडेट करें। इन संस्करणों में गिट रिज़ॉल्वर में पाथ ट्रैवर्सल (Path traversal) भेद्यता के लिए एक समाधान शामिल है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-33211 is a critical vulnerability in Tekton Pipelines allowing attackers to read arbitrary files via the pathInRepo parameter, potentially exposing sensitive data like ServiceAccount tokens.
You are affected if you are using Tekton Pipelines versions prior to 1.0.1 and have tenants with permission to create ResolutionRequests.
Upgrade Tekton Pipelines to version 1.0.1 or later to address the vulnerability. Restrict tenant permissions as an interim measure.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the official Tekton Pipelines security advisory for detailed information and updates: [https://github.com/tektoncd/pipeline/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।