A critical vulnerability in Fission prior to version 1.24.0 allows tenants to manipulate pod execution, potentially leading to unauthorized system control.

The Container Executor path insufficiently validates Function.spec.podspec inputs, allowing an authenticated tenant to inject custom pod specifications. These are subsequently merged into the executor-built podspec, allowing the execution of user-supplied container images with elevated privileges (T1068).

With a CVSS score of 9.9, this vulnerability enables an attacker to bypass container isolation. This could result in unauthorized access to sensitive files, network resources, or other tenant workloads within the Kubernetes cluster, representing a significant breach of multi-tenant security policies.

Immediate Action: Update Fission to version 1.24.0 or later to remediate the insecure handling of tenant-supplied pod specifications.

Proactive Monitoring: Audit Fission-generated deployments for non-standard container images or unexpected security context configurations that deviate from organizational standards.

Compensating Controls: Implement strict Kubernetes Pod Security Standards (PSS) to restrict the capabilities of pods created within the Fission namespace, effectively mitigating the ability to run privileged containers.

Public Exploit Available: False

The ability for a tenant to supply arbitrary pod specifications is a direct path to privilege escalation. Organizations using Fission must prioritize the upgrade to version 1.24.0 to ensure that tenant inputs are properly sanitized and restricted.