A critical security flaw in Fission prior to version 1.24.0 allows authenticated tenants to influence pod creation, leading to potential privilege escalation.

The framework fails to properly validate podSpec configurations, allowing MergePodSpec to propagate dangerous fields into generated pods. This creates an unintended sphere of control for authenticated users, categorized under MITRE ATT&CK technique T1068.

The CVSS score of 9.9 highlights the extreme risk associated with this vulnerability, as it allows for the subversion of container security boundaries. By injecting dangerous configurations into pod specs, an attacker can gain elevated privileges within the Kubernetes environment, potentially leading to a full cluster compromise.

Immediate Action: Upgrade the Fission framework to version 1.24.0 or later to implement necessary validation for pod specifications.

Proactive Monitoring: Review Kubernetes audit logs for unusual pod creation events or modifications to pod specifications that originate from the Fission controller or tenant-controlled environments.

Compensating Controls: Utilize Kubernetes Admission Controllers (e.g., OPA Gatekeeper or Kyverno) to enforce strict policies on pod security contexts and prevent the deployment of privileged containers.

Public Exploit Available: False

Given the high CVSS score and the potential for deep cluster-level compromise, this update should be treated with high urgency. Patching to version 1.24.0 is essential to restrict the sphere of influence that authenticated tenants can exert over the underlying infrastructure.