CVE-2022-24877

moderate-risk
Published 2022-05-06

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.

Do I need to act?

-
0.62% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: adf5a5278f164834a29453f47d5281d2616c07e5
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Flux2
Kustomize-Controller

Affected Vendors

Fluxcd

References (2)

Vendor Advisory https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw
Vendor Advisory https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw
42
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 2/34 · Minimal
Exposure 7/34 · Low