logo

Database

Excessive privileges In github.com/fission/fission

Description

Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables

Summary

Before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command(...) after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. /bin/sh -c '...') and execute arbitrary code in the builder pod context.

Affected component

    pkg/builder/builder.go:254 — call site (exec.Command(buildCmd, buildArgs...)).

    pkg/builder/builder.go:106 — input source: buildCmd, buildArgs = strings.Fields(req.BuildCommand)[0], strings.Fields(req.BuildCommand)[1:].

Impact

A subject with create / update privilege on Environment objects could:

    Cause the builder pod for any package using that environment to execute arbitrary code.

    Read whatever files the builder pod has access to inside its /packages shared volume (deployment archive payloads for that package).

    Write arbitrary content into the /packages shared volume, which the fetcher subsequently uploads as the package deployment archive.

The builder pod runs in the user's namespace with the fission-builder SA (not the more-privileged executor SA), so the impact is bounded to that namespace's package contents and the builder pod's own filesystem. PR:H reflects that creating / modifying Environment CRDs is typically restricted to cluster admins or platform operators.

Root cause

pkg/builder/builder.go's build-command parser did not validate the resulting executable path. Although exec.Command does not invoke a shell, it does locate the executable via $PATH, and strings.Fields splitting allowed multiple flags / sub-arguments to be passed.

Fix

Released in v1.23.0:

    PR #3364 (commit 0f45c911) introduces Builder.resolveBuildCommand in pkg/builder/builder.go, which:

      Accepts an empty string (treated as the default /build).

      Accepts the literal /build.

      Accepts any absolute path that survives filepath.Clean and contains no .. segments.

      Rejects anything containing whitespace metacharacters or relative paths.

    exec.Command still receives only the validated absolute path; sub-arguments continue to come from strings.Fields of the original string but are now passed positionally with no shell expansion.

Mitigation (until upgrade)

    Restrict who can create / update Environment CRDs to trusted operators only.

    Audit Environment.spec.builder.command values for any non-/build paths.

    Run the buildermgr with a tightened ServiceAccount that has no secret access in the builder namespace.

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-466182. NVD-2026-466183. OSV-2026-466184. GHSA-7pjr-qpvh-m3395. GCVE-2026-46618

References

1. https://github.com/fission/fission/security/advisories/GHSA-7pjr-qpvh-m3392. https://github.com/fission/fission/pull/33643. https://github.com/fission/fission/releases/tag/v1.23.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.