Описание
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to validate kustomization.yaml files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade.
Ссылки
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.29.0 (исключая)Версия до 0.24.0 (исключая)
Одно из
cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*
EPSS
Процентиль: 54%
0.0031
Низкий
7.7 High
CVSS3
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-22
CWE-22
Связанные уязвимости
CVSS3: 7.7
github
больше 3 лет назад
Improper path handling in Kustomization files allows for denial of service
EPSS
Процентиль: 54%
0.0031
Низкий
7.7 High
CVSS3
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-22
CWE-22