CVE-2022-24878 - OpenCVE

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Fluxcd	Kustomize-controller Flux2

Configuration 1 [-]

OR	cpe:2.3:a:fluxcd:flux2::::::::
	cpe:2.3:a:fluxcd:kustomize-controller::::::::

References

Link	Resource
https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-05-06T01:35:08

Updated: 2022-05-06T01:35:08

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24878

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-06T02:15:07.070

Modified: 2022-05-14T03:03:39.940

Link: CVE-2022-24878

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "flux2", "vendor": "fluxcd", "versions": [{"status": "affected", "version": "flux2 < v0.28.5, >= v0.19.0"}, {"status": "affected", "version": "kustomize < v0.29.0, >= v0.16.0"}]}], "descriptions": [{"lang": "en", "value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-06T01:35:08", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp"}], "source": {"advisory": "GHSA-7pwf-jg34-hxwp", "discovery": "UNKNOWN"}, "title": "Improper path handling in Kustomization files allows for denial of service", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24878", "STATE": "PUBLIC", "TITLE": "Improper path handling in Kustomization files allows for denial of service"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "flux2", "version": {"version_data": [{"version_value": "flux2 < v0.28.5, >= v0.19.0"}, {"version_value": "kustomize < v0.29.0, >= v0.16.0"}]}}]}, "vendor_name": "fluxcd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp", "refsource": "CONFIRM", "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp"}]}, "source": {"advisory": "GHSA-7pwf-jg34-hxwp", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24878", "datePublished": "2022-05-06T01:35:08", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2022-05-06T01:35:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*", "matchCriteriaId": "45B1C066-F71F-48F7-9119-200CAE4E42B8", "versionEndExcluding": "0.29.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "E813B615-DAA8-47E8-A35C-98A5D752663D", "versionEndExcluding": "0.24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade."}, {"lang": "es", "value": "Flux es una soluci\u00f3n de entrega continua abierta y extensible para Kubernetes. Un Salto de Ruta en el kustomize-controller por medio de un \"kustomization.yaml\" malicioso permite a un atacante causar una Denegaci\u00f3n de Servicio a nivel del controlador. Las mitigaciones incluyen herramientas automatizadas en la cadena de producci\u00f3n CI/CD del usuario para comprobar que los archivos \"kustomization.yaml\" son ajustadas a pol\u00edticas espec\u00edficas. Esta vulnerabilidad ha sido corregida en kustomize-controller versi\u00f3n v0.24.0 y ha sido incluido en flux2 versi\u00f3n v0.29.0. Se recomienda a usuarios que actualizar"}], "id": "CVE-2022-24878", "lastModified": "2022-05-14T03:03:39.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-05-06T02:15:07.070", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}