Impact
Fission is an open‑source, Kubernetes‑native serverless platform. In versions prior to 1.24.0 the Container Executor allows a tenant to include a custom Function.spec.podspec, which the executor merges directly into the pod specification that it subsequently uses to create a Deployment. This merge occurs before the Deployment is instantiated, permitting the tenant to inject arbitrary container and pod settings. If an attacker supplies malicious podspec content, the resulting pod will execute at the node level with the node's privileges, effectively escaping the tenant’s security boundaries. The weakness demonstrates Improper Privilege Management (CWE‑269) and Improper Access Control (CWE‑284).
Affected Systems
Every installation of Fission earlier than version 1.24.0 is affected. The issue resides in the Container Executor component, and any tenant that can define Function.spec.podspec values against a vulnerable cluster is at risk. The patch is distributed with Fission release 1.24.0 and later versions no longer merge unvalidated podspecs.
Risk and Exploitability
The vulnerability has a CVSS score of 9.9, indicating critical severity. An EPSS score is not provided, and the feature is not listed in CISA’s KEV catalog, but the high CVSS remains a strong indicator of potential impact. The likely attack vector is an actor with tenant‑level permissions in a shared Kubernetes cluster who supplies a malicious podspec; this inference is drawn from the description that the tenant supplies Function.spec.podspec. Successful exploitation would give the attacker full control over the affected node, bypassing typical pod‑security restrictions.
OpenCVE Enrichment
Github GHSA