GSA_kwCzR0hTQS01cG14LTdyNnItd2Zxcc4ABOM7

Low

Permalink JSON

Kgateway transformation policy template can emit files from the container

Affected Packages	Affected Versions	Fixed Versions
go:github.com/kgateway-dev/kgateway/v2 PURL: `pkg:go/github.com%2Fkgateway-dev%2Fkgateway%2Fv2`	>= 2.1.0-agw-cel-rbac, < 2.1.0, < 2.0.5	2.1.0, 2.0.5
0 Dependent packages 0 Dependent repositories Affected Version Ranges All affected versions v2.0.0, v2.0.0-beta1, v2.0.0-beta2, v2.0.0-beta3, v2.0.0-main, v2.0.0-rc.1, v2.0.0-rc.2, v2.0.0-rc.3, v2.0.1, v2.0.2, v2.0.3, v2.0.4, v2.1.0-agw-cel-rbac, v2.1.0-main, v2.1.0-rc.1, v2.1.0-rc.2 All unaffected versions v2.0.5, v2.1.0, v2.1.1

Summary

The transformation policy template feature in Kgateway versions through 2.0.4 allows users with TrafficPolicy creation permissions to craft transformations that read and expose arbitrary files from the dataplane container filesystem.

Description

Impact

Users with permissions to create a TrafficPolicy can create a transformation that returns files from within the dataplane container. While no secrets are mounted to the container by default, users who mount custom volumes to the dataplane should be aware of potential data exposure through this vulnerability.

This could allow unauthorized access to:

Configuration files within the container
Custom mounted volumes and their contents
Any files accessible to the dataplane container process

Patches

Upgrade to version 2.0.5 or 2.1.0. These versions include an updated transformation filter in envoy-gloo that prevents file access through transformation templates.

Workarounds

If you are not using transformations, you can disallow TrafficPolicy creation or restrict transformation usage using a ValidatingAdmissionPolicy to prevent exploitation while preparing to upgrade.

References

Fix in 2.1.0: https://github.com/kgateway-dev/kgateway/pull/12528 (envoy-gloo v1.35.2-patch4)
Backport to 2.0.5: Included in https://github.com/kgateway-dev/kgateway/pull/12535 (envoy-gloo v1.34.6-patch3)
Envoy-gloo releases: https://github.com/solo-io/envoy-gloo/releases/tag/v1.35.2-patch4
Envoy-gloo releases: https://github.com/solo-io/envoy-gloo/releases/tag/v1.34.6-patch3

Credits

Kindly reported by @rikatz

For More Information

If you have any questions or comments about this advisory, please reach out in slack https://cloud-native.slack.com/archives/C080D3PJMS4

References:

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

GSA_kwCzR0hTQS01cG14LTdyNnItd2Zxcc4ABOM7

Kgateway transformation policy template can emit files from the container

Affected Version Ranges

All affected versions

All unaffected versions

Summary

Description

Impact

Patches

Workarounds

References

Credits

For More Information

Identifiers

Risk

Severity

Classification

Source

Origin

Repository

Date and time

Published

Updated

API