Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime
Moderate severity
GitHub Reviewed
Published
Mar 15, 2024
in
fluid-cloudnative/fluid
•
Updated Mar 25, 2024
Description
Published to the GitHub Advisory Database
Mar 15, 2024
Reviewed
Mar 15, 2024
Published by the National Vulnerability Database
Mar 15, 2024
Last updated
Mar 25, 2024
Impact
OS command injection vulnerability within the Fluid project's JuicefsRuntime can potentially allow an authenticated user, who has the authority to create or update the K8s CRD Dataset/JuicefsRuntime, to execute arbitrary OS commands within the juicefs related containers. This could lead to unauthorized access, modification or deletion of data.
Patches
For users who're using version < 0.9.3 with JuicefsRuntime, upgrade to v0.9.3.
References
Are there any links users can visit to find out more?
Credits
Special thanks to the discovers of this issue:
Xiaozheng Zhang [email protected]
References