Описание
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate kustomization.yaml files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.
Ссылки
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.29.0 (исключая)Версия до 0.24.0 (исключая)
Одно из
cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*
EPSS
Процентиль: 69%
0.00617
Низкий
9.9 Critical
CVSS3
8.8 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-22
CWE-22
Связанные уязвимости
CVSS3: 9.9
github
почти 4 года назад
Improper path handling in kustomization files allows path traversal
EPSS
Процентиль: 69%
0.00617
Низкий
9.9 Critical
CVSS3
8.8 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-22
CWE-22