CVE-2023-23939
Azure/setup-kubectl: Escalation of privilege vulnerability for v3 and lower
In short
The Azure/setup-kubectl GitHub Action (versions before 3) sets the Kubectl binary with overly permissive file permissions (777), allowing any user on the same runner to replace it with a malicious version and gain elevated privileges. This matters because it could let an attacker trick the system into running commands as root.
Technical detail
CWE-732 vulnerability where fs.chmodSync(kubectlPath, 777) creates a world-writable binary, enabling local privilege escalation on shared GitHub Actions runners. Exploitation requires local access to the runner environment; impact is arbitrary command execution with the privileges of the kubectl user (typically root). Fixed in v3+ by using 775 permissions instead.
Summary generated and translated by AI from the official description.
Azure/setup-kubectl is a GitHub Action for installing Kubectl. This vulnerability only impacts versions before version 3. An insecure temporary creation of a file allows other actors on the Actions runner to replace the Kubectl binary created by this action because it is world writable. This Kubectl tool installer runs `fs.chmodSync(kubectlPath, 777)` to set permissions on the Kubectl binary, however, this allows any local user to replace the Kubectl binary. This allows privilege escalation to the user that can also run kubectl, most likely root. This attack is only possible if an attacker somehow breached the GitHub actions runner or if a user is utilizing an Action that maliciously executes this attack. This has been fixed and released in all versions `v3` and later. 775 permissions are used instead. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Affected products
Azure · setup-kubectlWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →