Tekton Pipelines git resolver has path traversal that allows reading arbitrary files from the resolver pod
Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests (e.g. by creating TaskRuns or PipelineRuns that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in resolutionrequest.status.data. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/tektoncd/pipelineGo | >= 1.0.0, < 1.0.1 | 1.0.1 |
github.com/tektoncd/pipelineGo | >= 1.1.0, < 1.3.3 | 1.3.3 |
github.com/tektoncd/pipelineGo | >= 1.4.0, < 1.6.1 | 1.6.1 |
github.com/tektoncd/pipelineGo | >= 1.7.0, < 1.9.2 | 1.9.2 |
github.com/tektoncd/pipelineGo | >= 1.10.0, < 1.10.2 | 1.10.2 |
Affected products
55- osv-coords54 versionspkg:apk/chainguard/tekton-chainspkg:apk/chainguard/tekton-chains-fipspkg:apk/chainguard/tekton-pipelines-controller-1.3pkg:apk/chainguard/tekton-pipelines-controller-1.4pkg:apk/chainguard/tekton-pipelines-controller-1.9pkg:apk/chainguard/tekton-pipelines-controller-fips-1.7pkg:apk/chainguard/tekton-pipelines-entrypoint-1.3pkg:apk/chainguard/tekton-pipelines-entrypoint-1.4pkg:apk/chainguard/tekton-pipelines-entrypoint-1.9pkg:apk/chainguard/tekton-pipelines-entrypoint-fips-1.7pkg:apk/chainguard/tekton-pipelines-events-1.3pkg:apk/chainguard/tekton-pipelines-events-1.4pkg:apk/chainguard/tekton-pipelines-events-fips-1.7pkg:apk/chainguard/tekton-pipelines-nop-1.3pkg:apk/chainguard/tekton-pipelines-nop-1.4pkg:apk/chainguard/tekton-pipelines-resolvers-1.3pkg:apk/chainguard/tekton-pipelines-resolvers-1.4pkg:apk/chainguard/tekton-pipelines-resolvers-1.9pkg:apk/chainguard/tekton-pipelines-resolvers-fips-1.7pkg:apk/chainguard/tekton-pipelines-sidecarlogresults-1.3pkg:apk/chainguard/tekton-pipelines-sidecarlogresults-1.4pkg:apk/chainguard/tekton-pipelines-sidecarlogresults-1.9pkg:apk/chainguard/tekton-pipelines-sidecarlogresults-fips-1.7pkg:apk/chainguard/tekton-pipelines-webhook-1.3pkg:apk/chainguard/tekton-pipelines-webhook-1.4pkg:apk/chainguard/tekton-pipelines-workingdirinit-1.3pkg:apk/chainguard/tekton-pipelines-workingdirinit-1.4pkg:apk/chainguard/tknpkg:apk/chainguard/tkn-fipspkg:apk/wolfi/tekton-chainspkg:apk/wolfi/tekton-pipelines-controller-1.3pkg:apk/wolfi/tekton-pipelines-controller-1.4pkg:apk/wolfi/tekton-pipelines-controller-1.9pkg:apk/wolfi/tekton-pipelines-entrypoint-1.3pkg:apk/wolfi/tekton-pipelines-entrypoint-1.4pkg:apk/wolfi/tekton-pipelines-entrypoint-1.9pkg:apk/wolfi/tekton-pipelines-events-1.3pkg:apk/wolfi/tekton-pipelines-events-1.4pkg:apk/wolfi/tekton-pipelines-nop-1.3pkg:apk/wolfi/tekton-pipelines-nop-1.4pkg:apk/wolfi/tekton-pipelines-resolvers-1.3pkg:apk/wolfi/tekton-pipelines-resolvers-1.4pkg:apk/wolfi/tekton-pipelines-resolvers-1.9pkg:apk/wolfi/tekton-pipelines-sidecarlogresults-1.3pkg:apk/wolfi/tekton-pipelines-sidecarlogresults-1.4pkg:apk/wolfi/tekton-pipelines-sidecarlogresults-1.9pkg:apk/wolfi/tekton-pipelines-webhook-1.3pkg:apk/wolfi/tekton-pipelines-webhook-1.4pkg:apk/wolfi/tekton-pipelines-workingdirinit-1.3pkg:apk/wolfi/tekton-pipelines-workingdirinit-1.4pkg:apk/wolfi/tknpkg:golang/github.com/tektoncd/pipelinepkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/tekton-cli&distro=openSUSE%20Tumbleweed
< 0.26.2-r4+ 53 more
- (no CPE)range: < 0.26.2-r4
- (no CPE)range: < 0.26.2-r5
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.9.2-r0
- (no CPE)range: < 1.7.0-r14
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.9.2-r0
- (no CPE)range: < 1.7.0-r14
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.7.0-r14
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.9.2-r0
- (no CPE)range: < 1.7.0-r14
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.9.2-r0
- (no CPE)range: < 1.7.0-r14
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 0.44.0-r4
- (no CPE)range: < 0.44.0-r4
- (no CPE)range: < 0.26.2-r4
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.9.2-r0
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.9.2-r0
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.9.2-r0
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.9.2-r0
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 1.3.3-r0
- (no CPE)range: < 1.4.0-r19
- (no CPE)range: < 0.44.0-r4
- (no CPE)range: >= 1.0.0, < 1.0.1
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- (no CPE)range: < 0.44.1-1.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-j5q5-j9gm-2w5cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33211ghsaADVISORY
- github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687cghsax_refsource_MISCWEB
- github.com/tektoncd/pipeline/commit/318006c4e3a5ghsax_refsource_MISCWEB
- github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbdghsax_refsource_MISCWEB
- github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75aeghsax_refsource_MISCWEB
- github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5eghsax_refsource_MISCWEB
- github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3dbghsax_refsource_MISCWEB
- github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78ghsax_refsource_MISCWEB
- github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.