Skip to content
Snippets Groups Projects
Commit ec5851ac authored by 🤖 GitLab Bot 🤖's avatar 🤖 GitLab Bot 🤖
Browse files

add go/github.com/fluxcd/kustomize-controller/CVE-2022-24877.yml to branch

parent ac198b59
No related branches found
No related tags found
1 merge request!14574Add CVE-2022-24877 to kustomize-controller
Checking pipeline status
---
identifier: "CVE-2022-24877"
identifiers:
- "CVE-2022-24877"
- "GHSA-j77r-2fxf-5jrw"
package_slug: "go/github.com/fluxcd/kustomize-controller"
title: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
description: "Flux is an open and extensible continuous delivery solution for Kubernetes.
Path Traversal in the kustomize-controller via a malicious `kustomization.yaml`
allows an attacker to expose sensitive data from the controller’s pod filesystem
and possibly privilege escalation in multi-tenancy deployments. Workarounds include
automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml`
files conform with specific policies. This vulnerability is fixed in kustomize-controller
v0.24.0 and included in flux2 v0.29.0."
date: "2022-05-14"
pubdate: "2022-05-06"
affected_range: "<v0.24.0"
fixed_versions:
- "v0.24.0"
affected_versions: "All versions before 0.24.0"
not_impacted: ""
solution: "Upgrade to version 0.24.0 or above."
urls:
- "https://nvd.nist.gov/vuln/detail/CVE-2022-24877"
- "https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"
cvss_v2: "AV:N/AC:L/Au:S/C:P/I:P/A:P"
cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
uuid: "d6acb6ce-1645-4ab9-93ca-62749fd2f6d1"
cwe_ids:
- "CWE-1035"
- "CWE-22"
- "CWE-937"
versions:
- number: "v0.24.0"
commit:
tags:
- "v0.24.0"
sha: "69a9e9d6bf4666eb02d2367210b29d0a66262580"
timestamp: "20220419121000"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment