gsd-2022-24877
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-24877",
"description": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user\u0027s CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.",
"id": "GSD-2022-24877"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-24877"
],
"details": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user\u0027s CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.",
"id": "GSD-2022-24877",
"modified": "2023-12-13T01:19:43.241019Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24877",
"STATE": "PUBLIC",
"TITLE": "Improper path handling in kustomization files allows path traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "flux2",
"version": {
"version_data": [
{
"version_value": "flux2 \u003c v0.29.0"
},
{
"version_value": "kustomize-controller \u003c v0.24.0"
}
]
}
}
]
},
"vendor_name": "fluxcd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user\u0027s CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-36: Absolute Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw",
"refsource": "CONFIRM",
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"
}
]
},
"source": {
"advisory": "GHSA-j77r-2fxf-5jrw",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv0.29.0",
"affected_versions": "All versions before 0.29.0",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-05-04",
"description": "The kustomize-controller enables the use of Kustomize\u2019s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use built-in features and a specially crafted `kustomization.yaml` to expose sensitive data from the controller\u2019s pod filesystem. In multi-tenancy deployments this can lead to privilege escalation if the controller\u0027s service account has elevated permissions.\n\nWithin the affected versions, users with write access to a Flux source are able to use built-in features to expose sensitive data from the controller\u2019s pod filesystem using a malicious `kustomization.yaml` file.\n\nThis vulnerability was fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0 released on 2022-04-20. The changes introduce a new Kustomize file system implementation which ensures that all files being handled are contained within the Kustomization working directory, blocking references to any files that do not meet that requirement.\n\nAutomated tooling (e.g. conftest) could be employed as a workaround, as part of a user\u0027s CI/CD pipeline to ensure that their `kustomization.yaml` files conform with specific policies, blocking access to sensitive path locations.",
"fixed_versions": [
"v0.29.0"
],
"identifier": "GMS-2022-1263",
"identifiers": [
"GHSA-j77r-2fxf-5jrw",
"GMS-2022-1263",
"CVE-2022-24877"
],
"not_impacted": "All versions starting from 0.29.0",
"package_slug": "go/github.com/fluxcd/flux2",
"pubdate": "2022-05-04",
"solution": "Upgrade to version 0.29.0 or above.",
"title": "Improper path handling in kustomization files allows path traversal",
"urls": [
"https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw",
"https://github.com/advisories/GHSA-j77r-2fxf-5jrw"
],
"uuid": "10b295ae-1e10-413e-a8cc-218208860006",
"versions": [
{
"commit": {
"sha": "5346c1cca31261453f1100b3516a77750e46bb17",
"tags": [
"v0.29.0"
],
"timestamp": "20220420102848"
},
"number": "v0.29.0"
}
]
},
{
"affected_range": "\u003cv0.24.0",
"affected_versions": "All versions before 0.24.0",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-22",
"CWE-937"
],
"date": "2022-05-14",
"description": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u00e2\u20ac\u2122s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user\u0027s CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.",
"fixed_versions": [
"v0.24.0"
],
"identifier": "CVE-2022-24877",
"identifiers": [
"CVE-2022-24877",
"GHSA-j77r-2fxf-5jrw",
"GMS-2022-1264"
],
"not_impacted": "",
"package_slug": "go/github.com/fluxcd/kustomize-controller",
"pubdate": "2022-05-06",
"solution": "Upgrade to version 0.24.0 or above.",
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-24877",
"https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw",
"https://github.com/advisories/GHSA-j77r-2fxf-5jrw"
],
"uuid": "d6acb6ce-1645-4ab9-93ca-62749fd2f6d1",
"versions": [
{
"commit": {
"sha": "69a9e9d6bf4666eb02d2367210b29d0a66262580",
"tags": [
"v0.24.0"
],
"timestamp": "20220419121000"
},
"number": "v0.24.0"
}
]
},
{
"affected_range": "\u003c0",
"affected_versions": "All versions before 0.24.0",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-05-04",
"description": "The kustomize-controller enables the use of Kustomize\u2019s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use built-in features and a specially crafted `kustomization.yaml` to expose sensitive data from the controller\u2019s pod filesystem. In multi-tenancy deployments this can lead to privilege escalation if the controller\u0027s service account has elevated permissions.\n\nWithin the affected versions, users with write access to a Flux source are able to use built-in features to expose sensitive data from the controller\u2019s pod filesystem using a malicious `kustomization.yaml` file.\n\nThis vulnerability was fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0 released on 2022-04-20. The changes introduce a new Kustomize file system implementation which ensures that all files being handled are contained within the Kustomization working directory, blocking references to any files that do not meet that requirement.\n\nAutomated tooling (e.g. conftest) could be employed as a workaround, as part of a user\u0027s CI/CD pipeline to ensure that their `kustomization.yaml` files conform with specific policies, blocking access to sensitive path locations.",
"fixed_versions": [
"v0.24.0"
],
"identifier": "GMS-2022-1264",
"identifiers": [
"GHSA-j77r-2fxf-5jrw",
"GMS-2022-1264",
"CVE-2022-24877"
],
"not_impacted": "All versions starting from 0.24.0",
"package_slug": "go/github.com/fluxcd/kustomize-controller",
"pubdate": "2022-05-04",
"solution": "Upgrade to version 0.24.0 or above.",
"title": "Duplicate of ./go/github.com/fluxcd/kustomize-controller/CVE-2022-24877.yml",
"urls": [
"https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw",
"https://github.com/advisories/GHSA-j77r-2fxf-5jrw"
],
"uuid": "86fe48e4-f692-4146-b8f5-b27eda34d33e",
"versions": [
{
"commit": {
"sha": "69a9e9d6bf4666eb02d2367210b29d0a66262580",
"tags": [
"v0.24.0"
],
"timestamp": "20220419121000"
},
"number": "v0.24.0"
}
]
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45B1C066-F71F-48F7-9119-200CAE4E42B8",
"versionEndExcluding": "0.29.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E813B615-DAA8-47E8-A35C-98A5D752663D",
"versionEndExcluding": "0.24.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller\u2019s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user\u0027s CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0."
},
{
"lang": "es",
"value": "Flux es una soluci\u00f3n de entrega continua abierta y extensible para Kubernetes. Un Salto de Ruta en el controlador kustomize por medio de un \"kustomization.yaml\" malicioso permite a un atacante exponer datos confidenciales del sistema de archivos del pod del controlador y posiblemente escalar privilegios en despliegues multi-tenancy. Las mitigaciones incluyen herramientas automatizadas en la cadena de trabajo CI/CD del usuario para comprobar que los archivos \"kustomization.yaml\" sean ajustados a pol\u00edticas espec\u00edficas. Esta vulnerabilidad ha sido corregida en kustomize-controller versiones v0.24.0 y ha sido incluida en flux2 versi\u00f3n v0.29.0"
}
],
"id": "CVE-2022-24877",
"lastModified": "2024-02-08T02:06:58.990",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2022-05-06T01:15:09.387",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-36"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.