RHSA-2026:6170

Vulnerability from csaf_redhat - Published: 2026-03-30 12:14 - Updated: 2026-04-01 13:37
Summary
Red Hat Security Advisory: Red Hat OpenShift Pipelines Release 1.21.1
Severity
Important
Notes
Topic: The 1.21.1 GA release of Red Hat OpenShift Pipelines Operator.. For more details see [product documentation](https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines).
Details: The 1.21.1 release of Red Hat OpenShift Pipelines Operator.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2025-66506

A flaw was found in Fulcio, a free-to-use certificate authority. This vulnerability allows a denial of service (DoS) due to excessive memory allocation when processing a malicious OpenID Connect (OIDC) identity token containing numerous period characters.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-405 - Asymmetric Resource Consumption (Amplification)
Vendor Fix Red Hat OpenShift Pipelines is a cloud-native, continuous integration and continuous delivery (CI/CD) solution based on Kubernetes resources. It uses Tekton building blocks to automate deployments across multiple platforms by abstracting away the underlying implementation details. Tekton introduces a number of standard custom resource definitions (CRDs) for defining CI/CD pipelines that are portable across Kubernetes distributions. https://access.redhat.com/errata/RHSA-2026:6170
CVE-2026-25639

A denial of service flaw has been discovered in the Axios npm package. the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1287 - Improper Validation of Specified Type of Input
Vendor Fix Red Hat OpenShift Pipelines is a cloud-native, continuous integration and continuous delivery (CI/CD) solution based on Kubernetes resources. It uses Tekton building blocks to automate deployments across multiple platforms by abstracting away the underlying implementation details. Tekton introduces a number of standard custom resource definitions (CRDs) for defining CI/CD pipelines that are portable across Kubernetes distributions. https://access.redhat.com/errata/RHSA-2026:6170
Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
CVE-2026-33022

A denial of service flaw was found in Tekton Pipelines. Any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness.

6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-130 - Improper Handling of Length Parameter Inconsistency
Vendor Fix Red Hat OpenShift Pipelines is a cloud-native, continuous integration and continuous delivery (CI/CD) solution based on Kubernetes resources. It uses Tekton building blocks to automate deployments across multiple platforms by abstracting away the underlying implementation details. Tekton introduces a number of standard custom resource definitions (CRDs) for defining CI/CD pipelines that are portable across Kubernetes distributions. https://access.redhat.com/errata/RHSA-2026:6170
Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
CVE-2026-33211

A flaw was found in Tekton Pipelines, specifically in the Tekton Pipelines git resolver. A tenant with permissions to create ResolutionRequests can exploit a path traversal vulnerability via the `pathInRepo` parameter. This allows the tenant to read arbitrary files from the resolver pod's filesystem, leading to information disclosure, including sensitive ServiceAccount tokens. The contents of these files are returned in a base64-encoded format.

7.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vendor Fix Red Hat OpenShift Pipelines is a cloud-native, continuous integration and continuous delivery (CI/CD) solution based on Kubernetes resources. It uses Tekton building blocks to automate deployments across multiple platforms by abstracting away the underlying implementation details. Tekton introduces a number of standard custom resource definitions (CRDs) for defining CI/CD pipelines that are portable across Kubernetes distributions. https://access.redhat.com/errata/RHSA-2026:6170
Workaround To mitigate this vulnerability, restrict the creation of ResolutionRequests to trusted users and service accounts. Implement strict Role-Based Access Control (RBAC) policies to limit which tenants can create TaskRuns or PipelineRuns that utilize the Tekton Pipelines git resolver. This reduces the exposure by preventing unauthorized access to the resolver pod's filesystem.
References
https://access.redhat.com/errata/RHSA-2026:6170 self
https://access.redhat.com/security/cve/CVE-2025-66506 external
https://access.redhat.com/security/cve/CVE-2026-25639 external
https://access.redhat.com/security/cve/CVE-2026-33022 external
https://access.redhat.com/security/cve/CVE-2026-33211 external
https://access.redhat.com/security/updates/classi… external
https://docs.redhat.com/en/documentation/red_hat_… external
https://security.access.redhat.com/data/csaf/v2/a… self
https://access.redhat.com/security/cve/CVE-2025-66506 self
https://bugzilla.redhat.com/show_bug.cgi?id=2419056 external
https://www.cve.org/CVERecord?id=CVE-2025-66506 external
https://nvd.nist.gov/vuln/detail/CVE-2025-66506 external
https://github.com/sigstore/fulcio/commit/765a0e5… external
https://github.com/sigstore/fulcio/security/advis… external
https://access.redhat.com/security/cve/CVE-2026-25639 self
https://bugzilla.redhat.com/show_bug.cgi?id=2438237 external
https://www.cve.org/CVERecord?id=CVE-2026-25639 external
https://nvd.nist.gov/vuln/detail/CVE-2026-25639 external
https://github.com/axios/axios/commit/28c721588c7… external
https://github.com/axios/axios/releases/tag/v1.13.5 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-33022 self
https://bugzilla.redhat.com/show_bug.cgi?id=2449483 external
https://www.cve.org/CVERecord?id=CVE-2026-33022 external
https://nvd.nist.gov/vuln/detail/CVE-2026-33022 external
https://github.com/tektoncd/pipeline/commit/5eead… external
https://github.com/tektoncd/pipeline/security/adv… external
https://access.redhat.com/security/cve/CVE-2026-33211 self
https://bugzilla.redhat.com/show_bug.cgi?id=2450554 external
https://www.cve.org/CVERecord?id=CVE-2026-33211 external
https://nvd.nist.gov/vuln/detail/CVE-2026-33211 external
https://github.com/tektoncd/pipeline/commit/10fa5… external
https://github.com/tektoncd/pipeline/commit/31800… external
https://github.com/tektoncd/pipeline/commit/3ca7b… external
https://github.com/tektoncd/pipeline/commit/96138… external
https://github.com/tektoncd/pipeline/commit/b1fee… external
https://github.com/tektoncd/pipeline/commit/cdb4e… external
https://github.com/tektoncd/pipeline/commit/ec775… external
https://github.com/tektoncd/pipeline/security/adv… external
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "The 1.21.1 GA release of Red Hat OpenShift Pipelines Operator..\nFor more details see [product documentation](https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines).",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The 1.21.1 release of Red Hat OpenShift Pipelines Operator.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:6170",
        "url": "https://access.redhat.com/errata/RHSA-2026:6170"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-66506",
        "url": "https://access.redhat.com/security/cve/CVE-2025-66506"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-25639",
        "url": "https://access.redhat.com/security/cve/CVE-2026-25639"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33022",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33022"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33211",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33211"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines",
        "url": "https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6170.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenShift Pipelines Release 1.21.1",
    "tracking": {
      "current_release_date": "2026-04-01T13:37:33+00:00",
      "generator": {
        "date": "2026-04-01T13:37:33+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.4"
        }
      },
      "id": "RHSA-2026:6170",
      "initial_release_date": "2026-03-30T12:14:24+00:00",
      "revision_history": [
        {
          "date": "2026-03-30T12:14:24+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-03-30T12:15:19+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-01T13:37:33+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Pipelines 1.21",
                "product": {
                  "name": "Red Hat OpenShift Pipelines 1.21",
                  "product_id": "Red Hat OpenShift Pipelines 1.21",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_pipelines:1.21::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Pipelines"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64",
                "product": {
                  "name": "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64",
                  "product_id": "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/pipelines-operator-bundle@sha256%3A6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080?arch=amd64\u0026repository_url=registry.redhat.io/openshift-pipelines\u0026tag=1774871390"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64 as a component of Red Hat OpenShift Pipelines 1.21",
          "product_id": "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
        },
        "product_reference": "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64",
        "relates_to_product_reference": "Red Hat OpenShift Pipelines 1.21"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-66506",
      "cwe": {
        "id": "CWE-405",
        "name": "Asymmetric Resource Consumption (Amplification)"
      },
      "discovery_date": "2025-12-04T23:01:20.507333+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2419056"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Fulcio, a free-to-use certificate authority. This vulnerability allows a denial of service (DoS) due to excessive memory allocation when processing a malicious OpenID Connect (OIDC) identity token containing numerous period characters.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Important for Red Hat as Fulcio, a certificate authority used for issuing code signing certificates, is susceptible to a denial of service when processing a specially crafted OpenID Connect (OIDC) token. This could lead to resource exhaustion and service unavailability in affected Red Hat products that utilize Fulcio.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-66506"
        },
        {
          "category": "external",
          "summary": "RHBZ#2419056",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419056"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-66506",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-66506"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66506",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66506"
        },
        {
          "category": "external",
          "summary": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a",
          "url": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a"
        },
        {
          "category": "external",
          "summary": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw",
          "url": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw"
        }
      ],
      "release_date": "2025-12-04T22:04:41.637000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-30T12:14:24+00:00",
          "details": "Red Hat OpenShift Pipelines is a cloud-native, continuous integration and\ncontinuous delivery (CI/CD) solution based on Kubernetes resources.\nIt uses Tekton building blocks to automate deployments across multiple\nplatforms by abstracting away the underlying implementation details.\nTekton introduces a number of standard custom resource definitions (CRDs)\nfor defining CI/CD pipelines that are portable across Kubernetes distributions.",
          "product_ids": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6170"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token"
    },
    {
      "cve": "CVE-2026-25639",
      "cwe": {
        "id": "CWE-1287",
        "name": "Improper Validation of Specified Type of Input"
      },
      "discovery_date": "2026-02-09T21:00:49.280114+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2438237"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw has been discovered in the Axios npm package. the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-25639"
        },
        {
          "category": "external",
          "summary": "RHBZ#2438237",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438237"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-25639",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-25639"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-25639",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25639"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57",
          "url": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/releases/tag/v1.13.5",
          "url": "https://github.com/axios/axios/releases/tag/v1.13.5"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433"
        }
      ],
      "release_date": "2026-02-09T20:11:22.374000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-30T12:14:24+00:00",
          "details": "Red Hat OpenShift Pipelines is a cloud-native, continuous integration and\ncontinuous delivery (CI/CD) solution based on Kubernetes resources.\nIt uses Tekton building blocks to automate deployments across multiple\nplatforms by abstracting away the underlying implementation details.\nTekton introduces a number of standard custom resource definitions (CRDs)\nfor defining CI/CD pipelines that are portable across Kubernetes distributions.",
          "product_ids": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6170"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig"
    },
    {
      "cve": "CVE-2026-33022",
      "cwe": {
        "id": "CWE-130",
        "name": "Improper Handling of Length Parameter Inconsistency"
      },
      "discovery_date": "2026-03-20T08:01:37.605922+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2449483"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw was found in Tekton Pipelines. Any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/tektoncd/pipeline: Tekton Pipelines: Denial of Service via long resolver names",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33022"
        },
        {
          "category": "external",
          "summary": "RHBZ#2449483",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449483"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33022",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33022"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33022",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33022"
        },
        {
          "category": "external",
          "summary": "https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6",
          "url": "https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6"
        },
        {
          "category": "external",
          "summary": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj",
          "url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj"
        }
      ],
      "release_date": "2026-03-20T07:48:15.383000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-30T12:14:24+00:00",
          "details": "Red Hat OpenShift Pipelines is a cloud-native, continuous integration and\ncontinuous delivery (CI/CD) solution based on Kubernetes resources.\nIt uses Tekton building blocks to automate deployments across multiple\nplatforms by abstracting away the underlying implementation details.\nTekton introduces a number of standard custom resource definitions (CRDs)\nfor defining CI/CD pipelines that are portable across Kubernetes distributions.",
          "product_ids": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6170"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "github.com/tektoncd/pipeline: Tekton Pipelines: Denial of Service via long resolver names"
    },
    {
      "cve": "CVE-2026-33211",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2026-03-24T00:02:20.093480+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2450554"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Tekton Pipelines, specifically in the Tekton Pipelines git resolver. A tenant with permissions to create ResolutionRequests can exploit a path traversal vulnerability via the `pathInRepo` parameter. This allows the tenant to read arbitrary files from the resolver pod\u0027s filesystem, leading to information disclosure, including sensitive ServiceAccount tokens. The contents of these files are returned in a base64-encoded format.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33211"
        },
        {
          "category": "external",
          "summary": "RHBZ#2450554",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450554"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33211",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33211"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33211",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33211"
        },
        {
          "category": "external",
          "summary": "https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687c",
          "url": "https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687c"
        },
        {
          "category": "external",
          "summary": "https://github.com/tektoncd/pipeline/commit/318006c4e3a5",
          "url": "https://github.com/tektoncd/pipeline/commit/318006c4e3a5"
        },
        {
          "category": "external",
          "summary": "https://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd",
          "url": "https://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd"
        },
        {
          "category": "external",
          "summary": "https://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75ae",
          "url": "https://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75ae"
        },
        {
          "category": "external",
          "summary": "https://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5e",
          "url": "https://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5e"
        },
        {
          "category": "external",
          "summary": "https://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3db",
          "url": "https://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3db"
        },
        {
          "category": "external",
          "summary": "https://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78",
          "url": "https://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78"
        },
        {
          "category": "external",
          "summary": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c",
          "url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c"
        }
      ],
      "release_date": "2026-03-23T23:55:54.089000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-30T12:14:24+00:00",
          "details": "Red Hat OpenShift Pipelines is a cloud-native, continuous integration and\ncontinuous delivery (CI/CD) solution based on Kubernetes resources.\nIt uses Tekton building blocks to automate deployments across multiple\nplatforms by abstracting away the underlying implementation details.\nTekton introduces a number of standard custom resource definitions (CRDs)\nfor defining CI/CD pipelines that are portable across Kubernetes distributions.",
          "product_ids": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6170"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, restrict the creation of ResolutionRequests to trusted users and service accounts. Implement strict Role-Based Access Control (RBAC) policies to limit which tenants can create TaskRuns or PipelineRuns that utilize the Tekton Pipelines git resolver. This reduces the exposure by preventing unauthorized access to the resolver pod\u0027s filesystem.",
          "product_ids": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Pipelines 1.21:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:6585794d76cffb3f87fc7eacb905f0dd5f02476f717c911f2c0faf7c4081a080_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.