Zarf Path Traversal Vulnerability Allowing Arbitrary File Access

A path traversal vulnerability has been identified in Zarf, a package manager for Kubernetes, affecting versions 0.54.0 prior to 0.73.1. The vulnerability arises during archive extraction, where a maliciously crafted Zarf package can create symlinks that point outside the intended destination directory. This flaw enables arbitrary file read or write operations on the system processing the package. The issue has been patched in version 0.73.1.

Impact

Exploitation of this vulnerability could lead to unauthorized file reads or writes on the system, with the potential for code execution if an overwritten file is executed.

Reproduction

To reproduce this vulnerability, create a Zarf package that includes an archive entry with a malicious symlink target, such as one that resolves outside the destination directory. When this package is processed, the symlink will be created, allowing access to arbitrary locations on the filesystem. This vulnerability can also be reproduced by using the 'zarf tools archiver decompress' functionality on generic archives that contain similar symlink payloads.

Remediation

Users should upgrade to Zarf version 0.73.1. If an immediate upgrade is not possible, only process Zarf packages from trusted sources until the update can be applied.