GHSA-J5Q5-J9GM-2W5C

Vulnerability from github – Published: 2026-03-18 20:20 – Updated: 2026-03-25 20:48
VLAI?
Summary
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
Details

Summary

The Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests (e.g. by creating TaskRuns or PipelineRuns that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in resolutionrequest.status.data.

Details

The git resolver's getFileContent() function in pkg/resolution/resolver/git/repository.go constructs a file path by joining the repository clone directory with the user-supplied pathInRepo parameter:

fileContents, err := os.ReadFile(filepath.Join(repo.directory, path))

The pathInRepo parameter is not validated for path traversal sequences. An attacker can supply values like ../../../../etc/passwd to escape the cloned repository directory and read arbitrary files from the resolver pod's filesystem.

The vulnerability was introduced in commit 318006c4e3a5 which switched the git resolver from the go-git library (using an in-memory filesystem that cannot be escaped) to shelling out to the git binary and reading files with os.ReadFile() from the real filesystem.

Impact

Arbitrary file read — A namespace-scoped tenant who can create TaskRuns or PipelineRuns with git resolver parameters can read any file readable by the resolver pod process.

Credential exfiltration and privilege escalation — The resolver pod's ServiceAccount token is readable at a well-known path (/var/run/secrets/kubernetes.io/serviceaccount/token). In the default RBAC configuration, the tekton-pipelines-resolvers ServiceAccount has get, list, and watch permissions on secrets cluster-wide. An attacker who exfiltrates this token gains the ability to read all Secrets across all namespaces, escalating from namespace-scoped access to cluster-wide secret access.

Patches

Fixed in 1.0.x, 1.3.x, 1.6.x, 1.9.x, 1.10.x.

The fix validates pathInRepo to reject paths containing .. components at parameter validation time, and adds a containment check using filepath.EvalSymlinks() to prevent symlink-based escapes from attacker-controlled repositories.

Workarounds

There is no workaround other than restricting which users can create TaskRuns, PipelineRuns, or ResolutionRequests that use the git resolver. Administrators can also reduce the impact by scoping the resolver pod's ServiceAccount RBAC permissions using a custom ClusterRole with more restrictive rules.

Affected Versions

All releases from v1.0.0 through v1.10.0, including all patch releases:

  • v1.0.0, v1.1.0, v1.2.0
  • v1.3.0, v1.3.1, v1.3.2
  • v1.4.0, v1.5.0, v1.6.0, v1.7.0
  • v1.9.0, v1.9.1, v1.10.0

Releases prior to v1.0.0 (e.g. v0.70.0 and earlier) are not affected because they used the go-git library's in-memory filesystem where path traversal cannot escape the git worktree.

Acknowledgments

This vulnerability was reported by Oleh Konko (@1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!

References

  • Fix: (link to merged PR/commit)
  • Introduced in: 318006c4e3a5 ("fix: resolve Git Anonymous Resolver excessive memory usage")
Severity ?
9.6 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tektoncd/pipeline"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tektoncd/pipeline"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tektoncd/pipeline"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tektoncd/pipeline"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tektoncd/pipeline"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T20:20:10Z",
    "nvd_published_at": "2026-03-24T00:16:29Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod\u0027s filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`.\n\n### Details\n\nThe git resolver\u0027s `getFileContent()` function in `pkg/resolution/resolver/git/repository.go` constructs a file path by joining the repository clone directory with the user-supplied `pathInRepo` parameter:\n\n```go\nfileContents, err := os.ReadFile(filepath.Join(repo.directory, path))\n```\n\nThe `pathInRepo` parameter is not validated for path traversal sequences. An attacker can supply values like `../../../../etc/passwd` to escape the cloned repository directory and read arbitrary files from the resolver pod\u0027s filesystem.\n\nThe vulnerability was introduced in commit `318006c4e3a5` which switched the git resolver from the go-git library (using an in-memory filesystem that cannot be escaped) to shelling out to the `git` binary and reading files with `os.ReadFile()` from the real filesystem.\n\n### Impact\n\n**Arbitrary file read** \u2014 A namespace-scoped tenant who can create `TaskRuns` or `PipelineRuns` with git resolver parameters can read any file readable by the resolver pod process.\n\n**Credential exfiltration and privilege escalation** \u2014 The resolver pod\u0027s ServiceAccount token is readable at a well-known path (`/var/run/secrets/kubernetes.io/serviceaccount/token`). In the default RBAC configuration, the `tekton-pipelines-resolvers` ServiceAccount has `get`, `list`, and `watch` permissions on `secrets` cluster-wide. An attacker who exfiltrates this token gains the ability to read all Secrets across all namespaces, escalating from namespace-scoped access to cluster-wide secret access.\n\n### Patches\n\nFixed in 1.0.x, 1.3.x, 1.6.x, 1.9.x, 1.10.x.\n\nThe fix validates `pathInRepo` to reject paths containing `..` components at parameter validation time, and adds a containment check using `filepath.EvalSymlinks()` to prevent symlink-based escapes from attacker-controlled repositories.\n\n### Workarounds\n\nThere is no workaround other than restricting which users can create `TaskRuns`, `PipelineRuns`, or `ResolutionRequests` that use the git resolver. Administrators can also reduce the impact by scoping the resolver pod\u0027s ServiceAccount RBAC permissions using a custom `ClusterRole` with more restrictive rules.\n\n### Affected Versions\n\nAll releases from **v1.0.0** through **v1.10.0**, including all patch releases:\n\n- v1.0.0, v1.1.0, v1.2.0\n- v1.3.0, v1.3.1, v1.3.2\n- v1.4.0, v1.5.0, v1.6.0, v1.7.0\n- v1.9.0, v1.9.1, v1.10.0\n\nReleases prior to v1.0.0 (e.g. v0.70.0 and earlier) are **not affected** because they used the go-git library\u0027s in-memory filesystem where path traversal cannot escape the git worktree.\n\n### Acknowledgments\n\nThis vulnerability was reported by Oleh Konko (@1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!\n\n### References\n\n- Fix: _(link to merged PR/commit)_\n- Introduced in: `318006c4e3a5` (\"fix: resolve Git Anonymous Resolver excessive memory usage\")",
  "id": "GHSA-j5q5-j9gm-2w5c",
  "modified": "2026-03-25T20:48:04Z",
  "published": "2026-03-18T20:20:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33211"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/commit/318006c4e3a5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75ae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3db"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tektoncd/pipeline"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.