Fission

Fission runtime pods were created with the `fission-fetcher` service account, granting namespace-wide `get` access to secrets and configmaps; the runtime pod's automounted token was reachable from inside the user's function container, allowing user-supplied function code to inherit the same Kubernetes API privileges and read any secret or configmap in the function's namespace, far beyond the intended `Function.spec.secrets` allowlist.

The Fission router exposes the `/fission-function/<ns>/<name>` endpoint on its public listener, allowing invocation of any function without an HTTPTrigger, leading to unauthorized function access and potential cross-tenant exploitation; patched in v1.23.0.

The Fission `storagesvc` component exposes unauthenticated CRUD operations on the `/v1/archive` endpoint, allowing any workload within the same Kubernetes cluster to enumerate archive IDs, download archives, upload arbitrary content, and delete archives, leading to potential code and secret exposure and function disruption.