OpenCVE

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fluxcd	Flux2 Kustomize-controller

Configuration 1 [-]

OR	cpe:2.3:a:fluxcd:flux2::::::::
	cpe:2.3:a:fluxcd:kustomize-controller::::::::

No data.

References

Link	Providers
https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-05-06T01:10:09

Updated: 2024-08-03T04:29:00.196Z

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24877

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-05-06T01:15:09.387

Modified: 2024-11-21T06:51:18.167

Link: CVE-2022-24877

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "flux2", "vendor": "fluxcd", "versions": [{"status": "affected", "version": "flux2 < v0.29.0"}, {"status": "affected", "version": "kustomize-controller < v0.24.0"}]}], "descriptions": [{"lang": "en", "value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-36", "description": "CWE-36: Absolute Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-06T01:10:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"}], "source": {"advisory": "GHSA-j77r-2fxf-5jrw", "discovery": "UNKNOWN"}, "title": "Improper path handling in kustomization files allows path traversal", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24877", "STATE": "PUBLIC", "TITLE": "Improper path handling in kustomization files allows path traversal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "flux2", "version": {"version_data": [{"version_value": "flux2 < v0.29.0"}, {"version_value": "kustomize-controller < v0.24.0"}]}}]}, "vendor_name": "fluxcd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"description": [{"lang": "eng", "value": "CWE-36: Absolute Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw", "refsource": "CONFIRM", "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"}]}, "source": {"advisory": "GHSA-j77r-2fxf-5jrw", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:29:00.196Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24877", "datePublished": "2022-05-06T01:10:09", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:29:00.196Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*", "matchCriteriaId": "45B1C066-F71F-48F7-9119-200CAE4E42B8", "versionEndExcluding": "0.29.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "E813B615-DAA8-47E8-A35C-98A5D752663D", "versionEndExcluding": "0.24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0."}, {"lang": "es", "value": "Flux es una soluci\u00f3n de entrega continua abierta y extensible para Kubernetes. Un Salto de Ruta en el controlador kustomize por medio de un \"kustomization.yaml\" malicioso permite a un atacante exponer datos confidenciales del sistema de archivos del pod del controlador y posiblemente escalar privilegios en despliegues multi-tenancy. Las mitigaciones incluyen herramientas automatizadas en la cadena de trabajo CI/CD del usuario para comprobar que los archivos \"kustomization.yaml\" sean ajustados a pol\u00edticas espec\u00edficas. Esta vulnerabilidad ha sido corregida en kustomize-controller versiones v0.24.0 y ha sido incluida en flux2 versi\u00f3n v0.29.0"}], "id": "CVE-2022-24877", "lastModified": "2024-11-21T06:51:18.167", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-06T01:15:09.387", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-36"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}