A critical privilege management vulnerability in Fission prior to version 1.24.0 allows attackers to perform container escape and gain cluster-level control.

A tenant with environments.fission.io create/update RBAC can deploy privileged containers within the Fission namespace. Because these pods are scheduled under the executor’s high-privilege service account, it enables sandbox escape, host filesystem access, and potential cluster-wide compromise.

This vulnerability, rated at 9.9 CVSS, is extremely dangerous as it allows for a complete breakout from container isolation. Successful exploitation grants the attacker the permissions of the executor service account, which in a Kubernetes environment typically results in full control over the cluster or underlying nodes, leading to massive data exfiltration or service disruption.

Immediate Action: Apply the update to version 1.24.0 immediately to remediate the incorrect RBAC and privilege escalation risks.

Proactive Monitoring: Conduct an immediate review of all users/entities currently holding environments.fission.io creation permissions and monitor for any suspicious pod deployment activities.

Compensating Controls: Use Kubernetes RBAC to strictly limit the namespace scope of service accounts and apply network policies to isolate the Fission namespace from critical cluster components.

Public Exploit Available: False

This is a critical security issue that requires immediate attention. Failure to patch allows tenants with minimal RBAC permissions to escalate to full cluster administration, representing an existential threat to the integrity of the Kubernetes environment.