CVE-2026-33022

{"id": "CVE-2026-33022", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T08:16:11.293", "references": [{"url": "https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-129"}]}], "descriptions": [{"lang": "en", "value": "Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2."}, {"lang": "es", "value": "El proyecto Tekton Pipelines proporciona recursos estilo k8s para declarar pipelines estilo CI/CD. Las versiones 0.60.0 a 1.0.0, 1.1.0 a 1.3.2, 1.4.0 a 1.6.0, 1.7.0 a 1.9.0, 1.10.0 y 1.10.1 tienen una vulnerabilidad de denegaci\u00f3n de servicio que permite a cualquier usuario que pueda crear un TaskRun o PipelineRun bloquear el controlador en todo el cl\u00faster al establecer .spec.taskRef.resolver (o .spec.pipelineRef.resolver) a una cadena de 31 o m\u00e1s caracteres. El bloqueo ocurre porque GenerateDeterministicNameFromSpec produce un nombre que excede el l\u00edmite de etiqueta DNS-1123 de 63 caracteres, y su l\u00f3gica de truncamiento entra en p\u00e1nico en un l\u00edmite de segmento [-1] ya que el nombre generado no contiene espacios. Una vez bloqueado, el controlador entra en un CrashLoopBackOff al reiniciar (ya que vuelve a reconciliar el recurso infractor), bloqueando toda la reconciliaci\u00f3n de CI/CD hasta que el recurso se elimine manualmente. Los resolvedores incorporados (git, cluster, bundles, hub) no se ven afectados debido a sus nombres cortos, pero cualquier nombre de resolvedor personalizado activa el error. La soluci\u00f3n trunca el prefijo del nombre del resolvedor en lugar de la cadena completa, preservando el sufijo hash para determinismo y unicidad. Este problema ha sido parcheado en las versiones 1.0.1, 1.3.3, 1.6.1, 1.9.2 y 1.10.2."}], "lastModified": "2026-03-24T16:19:48.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "F365D90F-DED5-4C32-9C73-3D5FF467778B", "versionEndExcluding": "1.0.1", "versionStartIncluding": "0.60.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "510D5C7F-FB2A-4059-AF03-A85FD23267F3", "versionEndExcluding": "1.3.3", "versionStartIncluding": "1.1.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "B4303F35-5E39-4F4B-9258-FE58CCA3C760", "versionEndExcluding": "1.6.1", "versionStartIncluding": "1.4.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "C465CD0F-E9E8-414D-9BED-49BEBD394E95", "versionEndExcluding": "1.9.2", "versionStartIncluding": "1.7.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "871426E3-9DCC-43CE-8262-D87D4F040AEE", "versionEndExcluding": "1.10.2", "versionStartIncluding": "1.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}