CVE Reports
September 01, 2023 - CVE-2023-22809 Sudo Vulnerability - 7.8 CVSS
The sudo program version 1.9.12p2 and earlier mishandles extra arguments passed in the user-provided environment
variables SUDO_EDITOR, VISUAL, and EDITOR when the sudoedit command is executed.
The mishandling allows a local attacker to append arbitrary entries to the list of files to process. This can lead to
privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor
may contain the -- argument that defeats a protection mechanism. For example, an attacker may issue the following
command EDITOR='vim -- /path/to/extra/file value.
Impact
This vulnerability affects the following Palette components:
-
Self-hosted Palette instances with versions older than 4.0.0
-
Private Cloud Gateways instances with versions older than 4.0.0
-
Clusters deployed with Palette versions older than 4.0.0
Patches
For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the Operating System (OS).
Workarounds
For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the OS Patching documentation for more information.
References
September 01, 2023 - CVE-2023-38408 OpenSSH Vulnerability - 9.8 CVSS
The PKCS#11 feature in the OpenSSH ssh-agent before version 9.3p2 has an insufficiently trustworthy search path. This may lead to remote code execution if an agent is forwarded to an attacker-controlled system. Code in the folder /usr/lib may be unsafe to load into the ssh-agent. This issue exists because of an incomplete fix for CVE-2016-10009.
Impact
This vulnerability affects the following Palette components:
-
Self-hosted Palette instances with versions older than 4.0.0
-
Private Cloud Gateways instances with versions older than 4.0.0
-
Clusters deployed with Palette versions older than 4.0.0
Patches
- For self-hosted Palette environments, upgrade to Palette version 4.0.0 or greater. Upgrading Palette will automatically update the Operating System (OS).
Workarounds
- For clusters and Private Cloud Gateways, patch the OS. You can use the on-demand or scheduled features to apply the OS security patches. Refer to the OS Patching documentation for more information.
References
September 01, 2023 - CVE-2023-29400 - HTML Template Vulnerability Security Advisory - 7.3 CVSS
When using Go templates with actions in unquoted HTML attributes, such as attr={{.}}, unexpected output may occur due
to HTML normalization rules if invoked with an empty input. This may allow the injection of arbitrary attributes into
tags.
Impact
No impact. We use the Go package html/template and our HTML templates are static. Our templates do not contain characters mentioned in the CVE. We also do not accept or parse any provided user data
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-24539 - HTML Template Vulnerability Security Advisory - 7.3 CVSS
Angle brackets <> are not considered dangerous characters when inserted into Cascading Style Sheets (CSS) contexts. Go
templates containing multiple actions separated by a / character can result in unexpectedly closing the CSS context
and allowing for the injection of unexpected HTML if executed with untrusted input.
Impact
No impact. We use the Go package html/template and our HTML templates are static. We also do not accept or parse any provided user data.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-24538 - HTML Template Vulnerability - Security Advisory - 9.8 CVSS
Go templates do not consider backticks as a Javascript string delimiter and, as a result, do not escape them as expected. Backticks have been used since ES6 for JS template literals. If a Go template contains an action within a literal Javascript template, the action's contents can be used to terminate the literal and potentially inject arbitrary Javascript code into the Go template.
Go template actions are disallowed from being used inside of them, for example, "var a = {{.}}" since there is no safe
way to allow this behavior. This takes the same approach as github.com/google/safehtml. With this fix,
Template.Parse() returns an error when it encounters templates containing actions with literal JavaScript. The
ErrorCode has a value of 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21.
Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1 with the caveat that
backticks will now be escaped.
Impact
No impact. We use the Go package html/template and our HTML templates are static. We also do not accept or parse any provided user data.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-29404 - CGO LDFLAGS Vulnerability Security Advisory - 9.8 CVSS
The go command can execute any code during the build process when using cgo. This can happen when using go get
command on a malicious module or any other command that builds untrusted code. It can also be triggered by linker flags
specified through the #cgo LDFLAGS directive. The non-optional flags in LDFLAGS sanitization allow disallowed flags to
be used with gc and gccgo compilers.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-29402 - Go Modules Vulnerability Security Advisory - 9.8 CVSS
The go command may generate unexpected code at build time when using cgo. Using unexpected code with cgo can cause
unexpected behavior in Go programs. This may occur when an untrusted module contains directories with newline characters
in their names. Go modules retrieved using the command go get are unaffected. Modules retrieved using the legacy
module retrieve method with the environment variables GOPATH and GO111MODULE=off may be affected.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-29402 - Go get Vulnerability Security Advisory - 9.8 CVSS
The go command may execute arbitrary code at build time when using cgo. The arbitrary code execution may occur when the
command go get is issued on a malicious module or when using any other command that builds untrusted code. This can be
triggered by linker flags specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are mishandled, and
disallowed flags are smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This
only affects the gccgo compiler.
Impact
No impact. This is not a runtime issue and we do not compile untrusted code.
Affected Products
Not applicable.
Patches
Not applicable.
Workarounds
Not applicable.
References
September 01, 2023 - CVE-2023-24540 - HTML Template Security Advisory - 9.8 CVSS
Not all valid JavaScript whitespace characters are considered to be whitespace. JavaScript templates containing
whitespace characters outside of the character set \t\n\f\r\u0020\u2028\u2029 may not be properly sanitized during
execution.
Impact
No impact - We use the Go package html/template but our HTML templates are static. We also do not accept or parse any provided user data.
Patches
Not applicable.
Workarounds
Not applicable.
References
March 20, 2023 - CVE-2023-22809 Sudo Vulnerability in Palette - 7.8 CVSS
A security vulnerability in sudo -e option (aka sudoedit) allows a malicious user with sudoedit privileges to edit
arbitrary files. The Palette container palette-controller-manager:mold-manager incorporates a sudo version affected by
sudoers policy bypass in sudo when using sudoedit.
All versions of Palette before v2.6.70 are affected.
Impact
A local user with permission to edit files can use this flaw to change a file not permitted by the security policy, resulting in privilege escalation.
Resolution
- For Palette SaaS, this has been addressed and requires no user action.
- For Palette self-hosted deployments, please upgrade to newer versions greater than or equal to v2.6.70 to address the reported vulnerability.
Workarounds
None.
References
August 4, 2022 - CVE-2022-1292 c_rehash script vulnerability in vSphere CSI pack - 9.8 CVSS
On May 3 2022, OpenSSL published a security advisory disclosing a command injection vulnerability in the c_rehash
script included with the OpenSSL library. Some operating systems automatically execute this script as a part of normal
operations, which could allow an attacker to execute arbitrary commands with elevated privileges.
Palette is not directly affected by this vulnerability. However, if your cluster profile is using the vSphere CSI pack,
version v2.3 or below, it contains a vulnerable version of the c_rehash script.
Impact
The c_rehash script does not sanitize shell metacharacters properly to prevent command injection. This script is
distributed by some operating systems, and by extension, in container images, in a manner where it is automatically
executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
Resolution
This vulnerability has been addressed in the vSphere CSI pack greater than or equal to version v2.6.
Workarounds
Update cluster profiles using the vSphere CSI pack to version v2.6 or greater. Apply the updated cluster profile changes to all clusters consuming the cluster profile.