While working on k8sgpt project, I found a vulnerability in github.com/kedacore/keda/v2.
The scan reported an Arbitrary File Read vulnerability affecting KEDA’s TriggerAuthentication configuration when used with HashiCorp Vault. Due to insufficient path validation when loading the Service Account Token, an attacker with permission to create or modify TriggerAuthentication resources could potentially read arbitrary files from the node filesystem.
CVE Link
CVE Report
While working on k8sgpt project, I found a vulnerability in github.com/kedacore/keda/v2.
The scan reported an Arbitrary File Read vulnerability affecting KEDA’s TriggerAuthentication configuration when used with HashiCorp Vault. Due to insufficient path validation when loading the Service Account Token, an attacker with permission to create or modify TriggerAuthentication resources could potentially read arbitrary files from the node filesystem.
CVE Link
CVE Report