CVE-2022-24877 - OpenCVE

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Fluxcd	Kustomize-controller Flux2

Configuration 1 [-]

OR	cpe:2.3:a:fluxcd:flux2::::::::
	cpe:2.3:a:fluxcd:kustomize-controller::::::::

References

Link	Resource
https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-05-06T01:10:09

Updated: 2022-05-06T01:10:09

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24877

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-06T01:15:09.387

Modified: 2024-02-08T02:06:58.990

Link: CVE-2022-24877

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "flux2", "vendor": "fluxcd", "versions": [{"status": "affected", "version": "flux2 < v0.29.0"}, {"status": "affected", "version": "kustomize-controller < v0.24.0"}]}], "descriptions": [{"lang": "en", "value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-36", "description": "CWE-36: Absolute Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-06T01:10:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"}], "source": {"advisory": "GHSA-j77r-2fxf-5jrw", "discovery": "UNKNOWN"}, "title": "Improper path handling in kustomization files allows path traversal", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24877", "STATE": "PUBLIC", "TITLE": "Improper path handling in kustomization files allows path traversal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "flux2", "version": {"version_data": [{"version_value": "flux2 < v0.29.0"}, {"version_value": "kustomize-controller < v0.24.0"}]}}]}, "vendor_name": "fluxcd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"description": [{"lang": "eng", "value": "CWE-36: Absolute Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw", "refsource": "CONFIRM", "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"}]}, "source": {"advisory": "GHSA-j77r-2fxf-5jrw", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24877", "datePublished": "2022-05-06T01:10:09", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2022-05-06T01:10:09", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*", "matchCriteriaId": "45B1C066-F71F-48F7-9119-200CAE4E42B8", "versionEndExcluding": "0.29.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "E813B615-DAA8-47E8-A35C-98A5D752663D", "versionEndExcluding": "0.24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0."}, {"lang": "es", "value": "Flux es una soluci\u00f3n de entrega continua abierta y extensible para Kubernetes. Un Salto de Ruta en el controlador kustomize por medio de un \"kustomization.yaml\" malicioso permite a un atacante exponer datos confidenciales del sistema de archivos del pod del controlador y posiblemente escalar privilegios en despliegues multi-tenancy. Las mitigaciones incluyen herramientas automatizadas en la cadena de trabajo CI/CD del usuario para comprobar que los archivos \"kustomization.yaml\" sean ajustados a pol\u00edticas espec\u00edficas. Esta vulnerabilidad ha sido corregida en kustomize-controller versiones v0.24.0 y ha sido incluida en flux2 versi\u00f3n v0.29.0"}], "id": "CVE-2022-24877", "lastModified": "2024-02-08T02:06:58.990", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-05-06T01:15:09.387", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-36"}], "source": "security-advisories@github.com", "type": "Secondary"}]}