Tekton Pipelines' git resolver passes the revision parameter directly as a positional argument to git fetch without validating that it does not start with a '-' character. Because git interprets flags from positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Additionally, the validateRepoURL function permits URLs starting with '/', enabling local filesystem path usage. A tenant able to submit ResolutionRequest objects can chain these behaviors to execute arbitrary binaries on the resolver pod. The resolver pod's ServiceAccount has cluster-wide get/list/watch permissions on all Secrets, enabling full secret exfiltration upon code execution. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 contain fixes for this issue.

Successful exploitation allows an attacker with limited privileges (tenant able to submit ResolutionRequest objects) to execute arbitrary code on the resolver pod. Given the resolver pod's ServiceAccount has cluster-wide permissions to access all Secrets, this leads to full cluster-wide secret exfiltration. The vulnerability impacts confidentiality, integrity, and availability of the Kubernetes cluster managed by Tekton Pipelines.

Fixed versions are 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1. Users should upgrade to one of these versions to remediate the vulnerability. Patch status is not explicitly confirmed in the vendor advisory content provided, but the description states these versions fix the issue. No other mitigation or temporary workaround is indicated.