Critical Cache Poisoning Vulnerability (CACHE-001) Verified Exploitable in slashben/kubescape Repository

A critical security flaw has been verified as exploitable in the slashben/kubescape GitHub repository, posing a direct threat to its CI/CD pipeline integrity. The vulnerability, identified as CACHE-001, is a cache poisoning attack enabled by a shared cache scope between untrusted and trusted workflows. Automated pentesting agents confirmed the exploit, leading to the severity being adjusted from HIGH to CRITICAL. This finding falls under the OWASP CI/CD security category CICD-SEC-4, indicating a significant risk to the software supply chain.

The repository contains two key workflows. The first, `00-pr-scanner.yaml`, is triggered by `pull_request` events from potentially untrusted sources and calls a reusable workflow that uses `actions/setup-go@v4` with implicit caching enabled. The second, `02-release.yaml`, is a trusted workflow triggered by `push` events on version tags and uses `actions/setup-go@v5`. The core of the vulnerability lies in the shared cache scope between these workflows, which allows a malicious actor submitting a pull request to poison the Go dependency cache. This poisoned cache could then be consumed by the trusted release workflow, potentially leading to the execution of malicious code during the build and release process for official versions of the software.

This verified exploit represents a severe software supply chain risk. The kubescape project, a Kubernetes security tool, is now exposed to potential compromise where a seemingly routine code contribution could be weaponized to inject backdoors into its official releases. The incident underscores the critical importance of strict cache isolation in CI/CD systems, especially for security-focused projects that handle both external contributions and internal release processes. The verification status leaves no doubt about the immediate exploitability of this configuration flaw.