GHSA-5pmx-7r6r-wfqq: 
vulnerability analysis and mitigation

The transformation policy template feature in Kgateway versions through 2.0.4 contains a vulnerability (GHSA-5pmx-7r6r-wfqq) that allows users with TrafficPolicy creation permissions to craft transformations that can read and expose arbitrary files from the dataplane container filesystem. The vulnerability affects github.com/kgateway-dev/kgateway/v2 package versions < 2.0.5 and >= 2.1.0-agw-cel-rbac, < 2.1.0, with patched versions being 2.0.5 and 2.1.0 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 3.5 (Low severity) with the following metrics: Attack Vector: Adjacent, Attack Complexity: Low, Privileges Required: Low, User Interaction: None, Scope: Unchanged, Confidentiality: Low, Integrity: None, Availability: None. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (GitHub Advisory).

The vulnerability allows users with TrafficPolicy creation permissions to access and expose files from within the dataplane container. While no secrets are mounted to the container by default, users who mount custom volumes to the dataplane may be exposed to potential data exposure. This could lead to unauthorized access to configuration files within the container, custom mounted volumes and their contents, and any files accessible to the dataplane container process (GitHub Advisory).

Users are advised to upgrade to version 2.0.5 or 2.1.0, which include an updated transformation filter in envoy-gloo that prevents file access through transformation templates. For those unable to upgrade immediately, a workaround is available: if not using transformations, users can disallow TrafficPolicy creation or restrict transformation usage using a ValidatingAdmissionPolicy (GitHub Advisory).