CVE-2022-41939: 
vulnerability analysis and mitigation

CVE-2022-41939 affects knative.dev/func, a client library and CLI enabling the development and deployment of Kubernetes functions. The vulnerability was discovered and disclosed in November 2022. The vulnerability allows developers using a malicious or compromised third-party buildpack to expose their registry credentials or local docker socket to a malicious 'lifecycle' container (Debian Security, GitHub Advisory).

The vulnerability has a CVSS v3.1 score of 8.4 (High) with the following metrics: Attack Vector: Network, Attack Complexity: High, Privileges Required: None, User Interaction: Required, Scope: Changed, Confidentiality: High, Integrity: High, Availability: High. The attack path involves an attacker publishing a language framework with both a function builder and buildpack, using a registry prefix trusted by func (e.g., gcr.io/paketo-buildpacks-for-language/builder:latest). When a victim uses the function template and performs a func build operation, the attacker's lifecycle image can gain access to sensitive credentials or the docker daemon (GitHub Advisory).

The vulnerability can lead to two major impacts: 1) When publishing to a remote registry, attackers can access mounted registry credentials for destination, cache, and run image repositories (which may have read-write access), 2) When pushing to the local docker daemon, attackers can gain access to the local docker daemon through the docker control socket, enabling the launch of additional containers with local access (GitHub Advisory).

The vulnerability has been patched in PR #1442 and is part of release v1.8.1. For users who cannot immediately update, a workaround is available: users working with third-party function buildpacks can pin the builder image to a specific content-hash with a valid lifecycle image to mitigate the attack (GitHub Advisory).