+ "details": "## Summary\n\nThe transformation policy template feature in Kgateway versions through 2.0.4 allows users with TrafficPolicy creation permissions to craft transformations that read and expose arbitrary files from the dataplane container filesystem.\n\n## Description\n\n### Impact\n\nUsers with permissions to create a TrafficPolicy can create a transformation that returns files from within the dataplane container. While no secrets are mounted to the container by default, users who mount custom volumes to the dataplane should be aware of potential data exposure through this vulnerability.\n\nThis could allow unauthorized access to:\n- Configuration files within the container\n- Custom mounted volumes and their contents\n- Any files accessible to the dataplane container process\n\n### Patches\n\nUpgrade to version 2.0.5 or 2.1.0. These versions include an updated transformation filter in envoy-gloo that prevents file access through transformation templates.\n\n### Workarounds\n\nIf you are not using transformations, you can disallow TrafficPolicy creation or restrict transformation usage using a ValidatingAdmissionPolicy to prevent exploitation while preparing to upgrade.\n\n## References\n\n- Fix in 2.1.0: https://github.com/kgateway-dev/kgateway/pull/12528 (envoy-gloo v1.35.2-patch4)\n- Backport to 2.0.5: Included in https://github.com/kgateway-dev/kgateway/pull/12535 (envoy-gloo v1.34.6-patch3)\n- Envoy-gloo releases: https://github.com/solo-io/envoy-gloo/releases/tag/v1.35.2-patch4\n- Envoy-gloo releases: https://github.com/solo-io/envoy-gloo/releases/tag/v1.34.6-patch3\n\n\n## Credits\n\nKindly reported by @rikatz\n\n## For More Information\n\nIf you have any questions or comments about this advisory, please reach out in slack https://cloud-native.slack.com/archives/C080D3PJMS4",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments