x/vulndb: potential Go vuln in github.com/fluxcd/flux2: CVE-2022-24877 #447
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2022-24877 references github.com/fluxcd/flux2, which may be a Go module.
Description:
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious
kustomization.yaml
allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validatekustomization.yaml
files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.Links:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: