All the vulnerabilites related to fluxcd - flux2
cve-2022-39272
Vulnerability from cvelistv5
Published
2022-10-21 00:00
Modified
2024-08-03 12:00
Severity ?
EPSS score ?
Summary
Flux2 vulnerable to Denial of Service due to Improper use of metav1.Duration
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/kubernetes/apimachinery/issues/131"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "flux2",
"vendor": "fluxcd",
"versions": [
{
"status": "affected",
"version": "\u003c 0.35.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux\u2019s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284: Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-21T00:00:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v"
},
{
"url": "https://github.com/kubernetes/apimachinery/issues/131"
}
],
"source": {
"advisory": "GHSA-f4p5-x4vc-mh4v",
"discovery": "UNKNOWN"
},
"title": "Flux2 vulnerable to Denial of Service due to Improper use of metav1.Duration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39272",
"datePublished": "2022-10-21T00:00:00",
"dateReserved": "2022-09-02T00:00:00",
"dateUpdated": "2024-08-03T12:00:43.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24817
Vulnerability from cvelistv5
Published
2022-05-06 00:00
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Improper kubeconfig validation allows arbitrary code execution
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "flux2",
"vendor": "fluxcd",
"versions": [
{
"status": "affected",
"version": "flux2 \u003c v0.29.0 \u003e= v0.1.0"
},
{
"status": "affected",
"version": "helm-controller \u003c v0.23.0 \u003e= v0.1.0"
},
{
"status": "affected",
"version": "kustomize-controller \u003c v0.19.0 \u003e= v0.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller\u0027s service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller\u2019s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-06T00:00:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc"
}
],
"source": {
"advisory": "GHSA-vvmq-fwmg-2gjc",
"discovery": "UNKNOWN"
},
"title": "Improper kubeconfig validation allows arbitrary code execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24817",
"STATE": "PUBLIC",
"TITLE": "Improper kubeconfig validation allows arbitrary code execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "flux2",
"version": {
"version_data": [
{
"version_value": "flux2 \u003c v0.29.0 \u003e= v0.1.0"
},
{
"version_value": "helm-controller \u003c v0.23.0 \u003e= v0.1.0"
},
{
"version_value": "kustomize-controller \u003c v0.19.0 \u003e= v0.2.0"
}
]
}
}
]
},
"vendor_name": "fluxcd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller\u0027s service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller\u2019s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc",
"refsource": "CONFIRM",
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc"
}
]
},
"source": {
"advisory": "GHSA-vvmq-fwmg-2gjc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24817",
"datePublished": "2022-05-06T00:00:14",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:20:50.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-36049
Vulnerability from cvelistv5
Published
2022-09-07 20:15
Modified
2024-08-03 09:52
Severity ?
EPSS score ?
Summary
Flux2 Helm Controller denial of service
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3 | x_refsource_CONFIRM | |
| https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh | x_refsource_MISC | |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996 | x_refsource_MISC | |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "flux2",
"vendor": "fluxcd",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.4, \u003c 0.23.0"
},
{
"status": "affected",
"version": "\u003e= 0.0.17, \u003c 0.32.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-07T20:15:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
}
],
"source": {
"advisory": "GHSA-p2g7-xwvr-rrw3",
"discovery": "UNKNOWN"
},
"title": "Flux2 Helm Controller denial of service",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36049",
"STATE": "PUBLIC",
"TITLE": "Flux2 Helm Controller denial of service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "flux2",
"version": {
"version_data": [
{
"version_value": "\u003e= 0.0.4, \u003c 0.23.0"
},
{
"version_value": "\u003e= 0.0.17, \u003c 0.32.0"
}
]
}
}
]
},
"vendor_name": "fluxcd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3",
"refsource": "CONFIRM",
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
},
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
"refsource": "MISC",
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996",
"refsource": "MISC",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
},
{
"name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360",
"refsource": "MISC",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
}
]
},
"source": {
"advisory": "GHSA-p2g7-xwvr-rrw3",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36049",
"datePublished": "2022-09-07T20:15:13",
"dateReserved": "2022-07-15T00:00:00",
"dateUpdated": "2024-08-03T09:52:00.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-36035
Vulnerability from cvelistv5
Published
2022-08-31 14:55
Modified
2024-08-03 09:52
Severity ?
EPSS score ?
Summary
Flux CLI Workload Injection
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/fluxcd/flux2/security/advisories/GHSA-xwf3-6rgv-939r | x_refsource_CONFIRM | |
| https://github.com/fluxcd/flux2/releases/tag/v0.32.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-xwf3-6rgv-939r"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fluxcd/flux2/releases/tag/v0.32.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "flux2",
"vendor": "fluxcd",
"versions": [
{
"status": "affected",
"version": "\u003c 0.32.0, \u003e= 0.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of user-supplied input, which results in a path traversal that can be controlled by the attacker. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this vulnerability. In some scenarios no errors may be presented, which may cause end users not to realize that something is amiss. A safe workaround is to execute Flux CLI in ephemeral and isolated shell environments, which can ensure no persistent values exist from previous processes. However, upgrading to the latest version of the CLI is still the recommended mitigation strategy."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-31T14:55:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-xwf3-6rgv-939r"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluxcd/flux2/releases/tag/v0.32.0"
}
],
"source": {
"advisory": "GHSA-xwf3-6rgv-939r",
"discovery": "UNKNOWN"
},
"title": "Flux CLI Workload Injection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36035",
"STATE": "PUBLIC",
"TITLE": "Flux CLI Workload Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "flux2",
"version": {
"version_data": [
{
"version_value": "\u003c 0.32.0, \u003e= 0.21.0"
}
]
}
}
]
},
"vendor_name": "fluxcd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of user-supplied input, which results in a path traversal that can be controlled by the attacker. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this vulnerability. In some scenarios no errors may be presented, which may cause end users not to realize that something is amiss. A safe workaround is to execute Flux CLI in ephemeral and isolated shell environments, which can ensure no persistent values exist from previous processes. However, upgrading to the latest version of the CLI is still the recommended mitigation strategy."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-xwf3-6rgv-939r",
"refsource": "CONFIRM",
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-xwf3-6rgv-939r"
},
{
"name": "https://github.com/fluxcd/flux2/releases/tag/v0.32.0",
"refsource": "MISC",
"url": "https://github.com/fluxcd/flux2/releases/tag/v0.32.0"
}
]
},
"source": {
"advisory": "GHSA-xwf3-6rgv-939r",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36035",
"datePublished": "2022-08-31T14:55:09",
"dateReserved": "2022-07-15T00:00:00",
"dateUpdated": "2024-08-03T09:52:00.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24877
Vulnerability from cvelistv5
Published
2022-05-06 01:10
Modified
2024-08-03 04:29
Severity ?
EPSS score ?
Summary
Improper path handling in kustomization files allows path traversal
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:00.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "flux2",
"vendor": "fluxcd",
"versions": [
{
"status": "affected",
"version": "flux2 \u003c v0.29.0"
},
{
"status": "affected",
"version": "kustomize-controller \u003c v0.24.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user\u0027s CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36: Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-06T01:10:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"
}
],
"source": {
"advisory": "GHSA-j77r-2fxf-5jrw",
"discovery": "UNKNOWN"
},
"title": "Improper path handling in kustomization files allows path traversal",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24877",
"STATE": "PUBLIC",
"TITLE": "Improper path handling in kustomization files allows path traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "flux2",
"version": {
"version_data": [
{
"version_value": "flux2 \u003c v0.29.0"
},
{
"version_value": "kustomize-controller \u003c v0.24.0"
}
]
}
}
]
},
"vendor_name": "fluxcd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user\u0027s CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-36: Absolute Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw",
"refsource": "CONFIRM",
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"
}
]
},
"source": {
"advisory": "GHSA-j77r-2fxf-5jrw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24877",
"datePublished": "2022-05-06T01:10:09",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:29:00.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24878
Vulnerability from cvelistv5
Published
2022-05-06 01:35
Modified
2024-08-03 04:29
Severity ?
EPSS score ?
Summary
Improper path handling in Kustomization files allows for denial of service
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:00.186Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "flux2",
"vendor": "fluxcd",
"versions": [
{
"status": "affected",
"version": "flux2 \u003c v0.28.5, \u003e= v0.19.0"
},
{
"status": "affected",
"version": "kustomize \u003c v0.29.0, \u003e= v0.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user\u0027s CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-06T01:35:08",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp"
}
],
"source": {
"advisory": "GHSA-7pwf-jg34-hxwp",
"discovery": "UNKNOWN"
},
"title": "Improper path handling in Kustomization files allows for denial of service",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24878",
"STATE": "PUBLIC",
"TITLE": "Improper path handling in Kustomization files allows for denial of service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "flux2",
"version": {
"version_data": [
{
"version_value": "flux2 \u003c v0.28.5, \u003e= v0.19.0"
},
{
"version_value": "kustomize \u003c v0.29.0, \u003e= v0.16.0"
}
]
}
}
]
},
"vendor_name": "fluxcd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user\u0027s CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp",
"refsource": "CONFIRM",
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp"
}
]
},
"source": {
"advisory": "GHSA-7pwf-jg34-hxwp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24878",
"datePublished": "2022-05-06T01:35:08",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:29:00.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}