CVE-2026-33022— Tekton Pipelines: Controller can panic when setting long resolver names in TaskRun/PipelineRun

Tekton Pipelines: Controller can panic when setting long resolver names in TaskRun/PipelineRun

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

对数组索引的验证不恰当

Tekton Pipelines 输入验证错误漏洞

Tekton Pipelines是Tekton开源的一个云原生管道。 Tekton Pipelines 0.60.0至1.0.0版本、1.1.0至1.3.2版本、1.4.0至1.6.0版本、1.7.0至1.9.0版本、1.10.0版本和1.10.1版本存在输入验证错误漏洞，该漏洞源于设置过长的解析器名称会导致控制器崩溃，可能导致集群范围的拒绝服务。

N/A

N/A