What is CVE-2023-37264?

CVE-2023-37264 is a low-severity vulnerability in Tektoncd Pipeline, classified under Insufficient Verification of Data Authenticity. CVSS score: 3.7/10. Published 2023-07-07.

How severe is CVE-2023-37264?

Low severity. CVSS v3 base score is 3.7 out of 10.

Is CVE-2023-37264 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Tektoncd Pipeline

CVE-2023-37264

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Ta…

EPSS: 0.001 (27.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.7 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N.

Affected products

Tektoncd Pipeline — versions >= 0.35.0, <= 0.49.0

Weakness classification (CWE)

CWE-345 — Insufficient Verification of Data Authenticity

Public proof-of-concept exploits

felipecruz91/e2e-scout

References

https://github.com/tektoncd/pipeline/security/advisories/GHSA-w2h3-vvvq-3m53 (x_refsource_CONFIRM)
https://github.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372 (x_refsource_MISC)
https://pkg.go.dev/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1#ChildStatusReference (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-37264?: CVE-2023-37264 is a low-severity vulnerability in Tektoncd Pipeline, classified under Insufficient Verification of Data Authenticity. CVSS score: 3.7/10. Published 2023-07-07.
How severe is CVE-2023-37264?: Low severity. CVSS v3 base score is 3.7 out of 10.
Is CVE-2023-37264 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.