Home > Vulnerability Database > CVE-2022-41939

Mend.io Vulnerability Database

CVE-2022-41939

Date: November 18, 2022

knative.dev/func is is a client library and CLI enabling the development and deployment of Kubernetes functions. Developers using a malicious or compromised third-party buildpack could expose their registry credentials or local docker socket to a malicious "lifecycle" container. This issues has been patched in PR #1442, and is part of release 1.8.1. This issue only affects users who are using function buildpacks from third-parties; pinning the builder image to a specific content-hash with a valid "lifecycle" image will also mitigate the attack.

Language: Go

Severity Score

6.1

Related Resources (6)

Url: https://github.com/knative/func/releases/tag/knative-v1.8.1

Url: https://github.com/knative/func/pull/1442

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-41939

Url: https://github.com/knative/func/security/advisories/GHSA-5336-2g3f-9g3m

Url: https://github.com/knative/func/blob/5ca77d38744d3481cc0b795f607c5859b19588fc/buildpacks/builder.go#L37-L41

Url: https://www.mend.io/vulnerability-database/CVE-2022-41939

Severity Score

6.1

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-41939

Date: November 18, 2022

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?