Nixpkgs security tracker

Login with GitHub

Suggestion detail

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-40923
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month ago
  • @LeSuisse dismissed (not in Nixpkgs) 1 month ago
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses strings.HasPrefix without filepath.Clean, so a path like /tekton/home/../results passes validation but resolves to /tekton/results at runtime. This vulnerability is fixed in 1.11.1.

Affected products

pipeline
  • ==< 1.11.1

Matching in nixpkgs

pkgs.pipeline

Watch YouTube and PeerTube videos in one place

pkgs.libpipeline

C library for manipulating pipelines of subprocesses in a flexible and convenient way

Package maintainers