<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Groovy - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/groovy/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 19:42:07 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/groovy/feed.xml" rel="self" type="application/rss+xml"/><item><title>Nuclio Java Runtime Vulnerability Leads to Build-Time Remote Code Execution</title><link>https://feed.craftedsignal.io/briefs/2026-07-nuclio-rce/</link><pubDate>Thu, 16 Jul 2026 19:42:07 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-nuclio-rce/</guid><description>Nuclio's Java runtime dashboard API, by default configured with NOP authentication, is vulnerable to remote code execution (CWE-94) where attackers can inject arbitrary Groovy code into the unsanitized `runtimeAttributes.repositories` field, which is directly written into the `build.gradle` file, allowing the injected code to execute during the Gradle configuration phase as root within the build container.</description><content:encoded><![CDATA[<p>A critical vulnerability (CWE-94, Improper Control of Generation of Code) has been discovered in Nuclio's Java runtime, affecting versions up to and including 1.15.27. This flaw enables unauthenticated attackers to achieve remote code execution (RCE) within the build environment. The vulnerability stems from the Dashboard API's default NOP authentication and a lack of input validation on the <code>runtimeAttributes.repositories</code> field. Attackers can embed arbitrary Groovy code into this field, which is then unescaped and directly written into the <code>build.gradle</code> file during the function build process. This injected code executes unconditionally during the Gradle configuration phase with root privileges inside the builder container, leading to a complete compromise of the build system. The issue was dynamically verified and confirmed to allow commands like <code>id</code>, <code>hostname</code>, and <code>whoami</code> to execute as the root user.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker sends an HTTP POST request to the Nuclio Dashboard API's <code>/api/functions</code> endpoint.</li>
<li>The request body includes a malicious <code>runtimeAttributes.repositories</code> field within the function definition, containing Groovy code designed to break out of the <code>repositories {}</code> block and execute arbitrary commands.</li>
<li>The Dashboard API receives the request; due to default NOP authentication, no credentials or input validation are performed on the <code>runtimeAttributes.repositories</code> content.</li>
<li>The <code>newBuildAttributes()</code> function decodes the <code>runtimeAttributes</code> without content inspection, allowing the malicious string to pass through.</li>
<li>The <code>createGradleBuildScript()</code> function uses Go's <code>text/template</code> engine to render the <code>runtimeAttributes.repositories</code> verbatim into the <code>build.gradle</code> file, without any contextual escaping.</li>
<li>The generated <code>build.gradle</code> file now contains the attacker's injected Groovy code as top-level statements.</li>
<li>The build process, executed by <code>./build-user-handler.sh</code> inside the <code>quay.io/nuclio/handler-builder-java-onbuild</code> container, invokes <code>gradle tasks</code> and <code>gradle userHandler</code>.</li>
<li>During Gradle's configuration phase, the injected Groovy statements are evaluated, executing the attacker's arbitrary commands (e.g., <code>id &amp;&amp; hostname &amp;&amp; whoami</code>) with root privileges (<code>uid=0</code>) inside the build container.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability results in unauthenticated remote code execution with root privileges on the Nuclio build container. An attacker can execute arbitrary commands, leading to full compromise of the build environment, potential data exfiltration, supply chain attacks by injecting malicious code into compiled artifacts, or further lateral movement within the hosting Kubernetes cluster. The proof-of-concept demonstrated execution of <code>id &amp;&amp; hostname &amp;&amp; whoami</code> commands, returning <code>uid=0(root) gid=0(root) groups=0(root)</code>, confirming maximum privileges.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch Nuclio deployments immediately to a version greater than 1.15.27 (once available) as this version is confirmed vulnerable.</li>
<li>Monitor <code>process_creation</code> logs on Linux build containers for suspicious shell command execution (e.g., <code>sh -c</code> followed by system enumeration commands like <code>id</code>, <code>whoami</code>, <code>hostname</code>) with <code>java</code> as a parent process running <code>gradle</code>, as described in the detection rule below.</li>
<li>Implement robust authentication and authorization for the Nuclio Dashboard API, moving away from NOP authentication, to prevent unauthenticated access.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>code-injection</category><category>rce</category><category>template-injection</category><category>kubernetes</category><category>ci-cd</category><category>groovy</category></item></channel></rss>