|
| 1 | +vulnerabilities: |
| 2 | + # Typescript / typeorm |
| 3 | + - id: CVE-2022-33171 |
| 4 | + paths: |
| 5 | + - "app/node_modules/typeorm/package.json" |
| 6 | + statement: | |
| 7 | + This vulnerability in TypeORM's findOne / findOneOrFail functions can improperly interpret a crafted JSON object |
| 8 | + and concatenate it into raw SQL, potentially allowing SQL injection attacks. |
| 9 | +
|
| 10 | + In Gitpod’s usage, TypeORM is not exposed to arbitrary user input. For example, DB migrations run preset queries; |
| 11 | + the server/bridge code does not hand raw JSON from external sources to findOne. Therefore, there is no path for |
| 12 | + injecting malicious JSON into a query, rendering the vulnerability non-exploitable. |
| 13 | +
|
| 14 | + # image-builder-bob |
| 15 | + - id: CVE-2024-32002 |
| 16 | + statement: | |
| 17 | + A vulnerability allowing remote code execution when cloning a malicious repository (often leveraging submodules |
| 18 | + and symlinks on case-insensitive filesystems) that can place malicious scripts in .git/hooks/. On Windows/macOS |
| 19 | + (case-insensitive FS), a malicious repo can use symlinks or tricky paths to cause Git to write hook scripts in |
| 20 | + the main .git directory during clone, which Git then executes automatically. This results in code execution on |
| 21 | + the system performing the clone. |
| 22 | +
|
| 23 | + The standard exploit path involving .Git vs. .git doesn’t work on Linux. Also, Gitpod’s builder typically |
| 24 | + fetches known repositories or user-provided repos in a controlled environment. Even if a user cloned a hostile |
| 25 | + repo in their own workspace, they’d compromise only themselves (in a sandboxed container). No broader exploit |
| 26 | + of the underlying host is possible. |
| 27 | +
|
| 28 | + - id: CVE-2024-23652 |
| 29 | + paths: |
| 30 | + - "usr/bin/buildctl" |
| 31 | + - "usr/bin/buildkitd" |
| 32 | + statement: | |
| 33 | + A vulnerability where the RUN --mount cleanup logic could remove directories outside of the build context, |
| 34 | + leading to potential arbitrary file deletion on the host if BuildKit is used with untrusted Dockerfiles. |
| 35 | +
|
| 36 | + Gitpod runs BuildKit inside containers in a Kubernetes environment. Even if a malicious Dockerfile tries to |
| 37 | + exploit this, it can only affect the container’s filesystem (which the user already controls). There’s no path to |
| 38 | + escalate beyond the container to the node’s host filesystem, so this has no material security impact in Gitpod’s |
| 39 | + isolated build setup. |
| 40 | +
|
| 41 | + - id: CVE-2024-23653 |
| 42 | + paths: |
| 43 | + - "usr/bin/buildctl" |
| 44 | + - "usr/bin/buildkitd" |
| 45 | + statement: | |
| 46 | + A flaw allowing a build container to run with elevated privileges without the required security.insecure |
| 47 | + entitlement. This can grant a malicious Dockerfile or BuildKit client more privileges than intended during the |
| 48 | + build. |
| 49 | +
|
| 50 | + In Gitpod, BuildKit operates under tight Kubernetes constraints. Even if a user tries to request privileged mode, |
| 51 | + it won’t escalate to the actual host or break out of the container. The user is effectively “attacking” their |
| 52 | + own build container. They already have control there, so there’s no additional privilege escalation beyond their |
| 53 | + existing user container in Gitpod’s architecture. |
| 54 | +
|
| 55 | +
|
| 56 | + - id: CVE-2024-45337 |
| 57 | + paths: |
| 58 | + - "usr/bin/buildctl" |
| 59 | + - "usr/bin/buildkitd" |
| 60 | + - "usr/bin/kube-rbac-proxy" |
| 61 | + statement: | |
| 62 | + An SSH authentication bypass issue if PublicKeyCallback is used incorrectly in Go’s SSH server library. Misuse |
| 63 | + can lead to validating the wrong public key and granting access under the wrong identity. |
| 64 | +
|
| 65 | + Neither BuildKit nor kube-rbac-proxy runs an SSH server that uses PublicKeyCallback for authentication. |
| 66 | + Kube-rbac-proxy does HTTP-based RBAC checks. BuildKit may include x/crypto/ssh but does not expose an SSH server |
| 67 | + requiring PublicKeyCallback. Hence, there’s no exploit path for this bug in these components. |
| 68 | +
|
| 69 | + - id: CVE-2024-24790 |
| 70 | + statement: | |
| 71 | + A logic flaw in Go’s net/netip packages causing misclassification of certain IPv4-mapped IPv6 addresses (e.g., failing to mark them as loopback/private). Could lead to security checks that rely on IP classification (like IsPrivate, IsLoopback) being bypassed. |
| 72 | +
|
| 73 | + In these images (Cloud SQL Proxy, bob-runc, BuildKit, kube-rbac-proxy), there’s no code path that enforces security decisions using IsLoopback/IsPrivate from Go’s netip. They either accept connections in a controlled environment (Cloud SQL Proxy -> GCP) or use different authentication mechanisms (kube-rbac-proxy). Hence, no external attack can exploit this misclassification. |
| 74 | +
|
| 75 | + - id: CVE-2024-45491 |
| 76 | + statement: | |
| 77 | + Integer overflow in dtdCopy when dealing with a large number of default attributes in a DTD, causing potential out-of-bounds write or memory corruption in Expat on 32-bit systems. |
| 78 | +
|
| 79 | + The container runs on a 64-bit Alpine Linux environment, not a 32-bit build, so the overflow is not triggered the same way. Moreover, there is no component automatically parsing untrusted XML with Expat. Hence, no practical exploitation path in Gitpod’s usage. |
| 80 | +
|
| 81 | + - id: CVE-2024-45492 |
| 82 | + statement: | |
| 83 | + Similar integer overflow in the nextScaffoldPart function of Expat, triggered by enormous or deeply nested content models in the DTD. Can lead to denial of service or potential corruption. |
| 84 | +
|
| 85 | + As with CVE-2024-45491, the environment is 64-bit Alpine, and no untrusted XML parsing occurs by default. Thus, the bug cannot be reached in a way that leads to exploitation. |
0 commit comments