Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects.
The columns output mode is the default when running ig run interactively.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Linuxfoundation Inspektor_Gadget
cpe:2.3:a:linuxfoundation:inspektor_gadget:*:*:*:*:*:*:*:*
|
— |
0.49.1
|
References 3
https://github.com/inspektor-gadget/inspektor-gadget/commit/d59cf72971f9b7110d9…
security-advisories@github.com
https://github.com/inspektor-gadget/inspektor-gadget/releases/tag/v0.49.1
security-advisories@github.com
https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-3…
security-advisories@github.com