CVE-2022-24877 | Flux is an open and extensible continuous delivery solution … | CVSS 9.9 CRITICAL

Description

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.

Metadata

CVE ID: CVE-2022-24877
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2022-02-10 00:00 UTC
Published: 2022-05-06 01:10 UTC
Last updated: 2025-04-23 18:29 UTC
Primary CWE: CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product: fluxcd / flux2
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
fluxcd	flux2	—	flux2 < v0.29.0, kustomize-controller < v0.24.0

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-36	cna	CWE-36: Absolute Path Traversal

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (1)

https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw