Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.
References
Link | Resource |
---|---|
https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-05-06T01:10:09
Updated: 2022-05-06T01:10:09
Reserved: 2022-02-10T00:00:00
Link: CVE-2022-24877
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-05-06T01:15:09.387
Modified: 2024-02-08T02:06:58.990
Link: CVE-2022-24877
JSON object: View
Redhat Information
No data.