Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-24877

Good to know:

icon

Date: May 5, 2022

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious "kustomization.yaml" allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate "kustomization.yaml" files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.

Language: Go

Severity Score

Related Resources (6)

https://nvd.nist.gov/vuln/detail/CVE-2022-24877
github.com/fluxcd/kustomize-controller
https://github.com/fluxcd/kustomize-controller/commit/f4528fb25d611da94e491346bea056d5c5c3611f
https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw
https://github.com/fluxcd/pkg/commit/0ec014baf417fd3879d366a45503a548b9267d2a
https://www.mend.io/vulnerability-database/CVE-2022-24877

Severity Score

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Absolute Path Traversal

CWE-36

Top Fix

icon

Upgrade Version

Upgrade to version github.com/fluxcd/kustomize-controller - v0.24.0;github.com/fluxcd/flux2 - v0.29.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us