GHSA-7M8X-QG2J-4M3V
Vulnerability from github – Published: 2026-06-30 18:12 – Updated: 2026-06-30 18:12Summary
The Fission MessageQueueTrigger (MQT) scaler controller exposed two privilege-escalation primitives to any subject able to create MQTs in a namespace.
Details
1. Secret materialization. getEnvVarlist in pkg/mqtrigger/scalermanager.go read the Secret named in Spec.Secret using the controller's cluster-wide secrets/get RBAC and emitted each key as a literal EnvVar.Value, copying
the plaintext secret content into the connector Deployment's pod template. A subject holding messagequeuetriggers/create but not secrets/get could exfiltrate any Secret in the namespace by pointing an MQT at it.
2. PodSpec injection. Spec.PodSpec was merged into the controller-built connector PodSpec via util.MergePodSpec with no allowlist on which fields could come from the user. An MQT could substitute Containers[].Image (run any
image), override Command/Args, inject Env, add VolumeMounts + Volumes, override ServiceAccountName, and set HostNetwork/HostPID/HostIPC — turning messagequeuetriggers/create into effective deployments/create with an
arbitrary image and service account.
Impact
A tenant with only messagequeuetriggers.fission.io/create in a namespace could read any Secret in that namespace and run an arbitrary container image under an arbitrary service account, escalating well beyond their intended RBAC.
Fix
Fixed in #3367 and released in v1.24.0.
getEnvVarlistnow emitsEnvVar.ValueFrom.SecretKeyRefso the connector pod resolves values at start time under its own service account. The secret values are never written into the Deployment object and never logged.- A new allowlist,
MergeAllowedPodSpecFields(pkg/executor/util/merge_allowlist.go), accepts onlyNodeSelector,Tolerations,Affinity,RuntimeClassName, and per-containerResources. All other user-supplied fields are dropped at the controller layer, and the validating webhook rejects every populated non-allowlisted field with a clear error. The webhook and the merge helper share a single canonicalDisallowedPodSpecFieldsenumeration so they cannot drift.
Behavioural change
MQT authors that previously overrode the connector image, command, args, env, volumes, service account, or host namespaces via Spec.PodSpec will see those fields rejected at admission (or silently dropped if the webhook is disabled).
Allowlisted fields flow through unchanged.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.23.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/fission/fission"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-269",
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:12:48Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe Fission MessageQueueTrigger (MQT) scaler controller exposed two privilege-escalation primitives to any subject able to create MQTs in a namespace.\n\n### Details\n\n**1. Secret materialization.** `getEnvVarlist` in `pkg/mqtrigger/scalermanager.go` read the Secret named in `Spec.Secret` using the controller\u0027s cluster-wide `secrets/get` RBAC and emitted each key as a literal `EnvVar.Value`, copying\nthe plaintext secret content into the connector Deployment\u0027s pod template. A subject holding `messagequeuetriggers/create` but **not** `secrets/get` could exfiltrate any Secret in the namespace by pointing an MQT at it.\n\n**2. PodSpec injection.** `Spec.PodSpec` was merged into the controller-built connector PodSpec via `util.MergePodSpec` with no allowlist on which fields could come from the user. An MQT could substitute `Containers[].Image` (run any\nimage), override `Command`/`Args`, inject `Env`, add `VolumeMounts` + `Volumes`, override `ServiceAccountName`, and set `HostNetwork`/`HostPID`/`HostIPC` \u2014 turning `messagequeuetriggers/create` into effective `deployments/create` with an\n arbitrary image and service account.\n\n### Impact\n\nA tenant with only `messagequeuetriggers.fission.io/create` in a namespace could read any Secret in that namespace and run an arbitrary container image under an arbitrary service account, escalating well beyond their intended RBAC.\n\n### Fix\n\nFixed in [#3367](https://github.com/fission/fission/pull/3367) and released in [v1.24.0](https://github.com/fission/fission/releases/tag/v1.24.0).\n\n- `getEnvVarlist` now emits `EnvVar.ValueFrom.SecretKeyRef` so the connector pod resolves values at start time under its own service account. The secret values are never written into the Deployment object and never logged.\n- A new allowlist, `MergeAllowedPodSpecFields` (`pkg/executor/util/merge_allowlist.go`), accepts only `NodeSelector`, `Tolerations`, `Affinity`, `RuntimeClassName`, and per-container `Resources`. All other user-supplied fields are\ndropped at the controller layer, and the validating webhook rejects every populated non-allowlisted field with a clear error. The webhook and the merge helper share a single canonical `DisallowedPodSpecFields` enumeration so they cannot\ndrift.\n\n### Behavioural change\n\nMQT authors that previously overrode the connector image, command, args, env, volumes, service account, or host namespaces via `Spec.PodSpec` will see those fields rejected at admission (or silently dropped if the webhook is disabled).\nAllowlisted fields flow through unchanged.",
"id": "GHSA-7m8x-qg2j-4m3v",
"modified": "2026-06-30T18:12:48Z",
"published": "2026-06-30T18:12:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fission/fission/security/advisories/GHSA-7m8x-qg2j-4m3v"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/pull/3367"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/commit/94bf5792396989fdd71961e8701833c8110da889"
},
{
"type": "PACKAGE",
"url": "https://github.com/fission/fission"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/releases/tag/v1.24.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.