Skip to content
GitLab
Next
Menu
Why GitLab
Pricing
Contact Sales
Explore
Why GitLab
Pricing
Contact Sales
Explore
Sign in
Get free trial
Primary navigation
Search or go to…
Project
A
advisory-database
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Privacy statement
Keyboard shortcuts
?
What's new
6
Snippets
Groups
Projects
Show more breadcrumbs
GitLab.org
security-products
advisory-database
Commits
ec5851ac
Commit
ec5851ac
authored
2 years ago
by
🤖 GitLab Bot 🤖
Browse files
Options
Downloads
Patches
Plain Diff
add go/github.com/fluxcd/kustomize-controller/CVE-2022-24877.yml to branch
parent
ac198b59
No related branches found
No related tags found
1 merge request
!14574
Add CVE-2022-24877 to kustomize-controller
Checking pipeline status
Changes
1
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
go/github.com/fluxcd/kustomize-controller/CVE-2022-24877.yml
+39
-0
39 additions, 0 deletions
go/github.com/fluxcd/kustomize-controller/CVE-2022-24877.yml
with
39 additions
and
0 deletions
go/github.com/fluxcd/kustomize-controller/CVE-2022-24877.yml
0 → 100644
+
39
−
0
View file @
ec5851ac
---
identifier
:
"
CVE-2022-24877"
identifiers
:
-
"
CVE-2022-24877"
-
"
GHSA-j77r-2fxf-5jrw"
package_slug
:
"
go/github.com/fluxcd/kustomize-controller"
title
:
"
Improper
Limitation
of
a
Pathname
to
a
Restricted
Directory
('Path
Traversal')"
description
:
"
Flux
is
an
open
and
extensible
continuous
delivery
solution
for
Kubernetes.
Path
Traversal
in
the
kustomize-controller
via
a
malicious
`kustomization.yaml`
allows
an
attacker
to
expose
sensitive
data
from
the
controller’s
pod
filesystem
and
possibly
privilege
escalation
in
multi-tenancy
deployments.
Workarounds
include
automated
tooling
in
the
user's
CI/CD
pipeline
to
validate
`kustomization.yaml`
files
conform
with
specific
policies.
This
vulnerability
is
fixed
in
kustomize-controller
v0.24.0
and
included
in
flux2
v0.29.0."
date
:
"
2022-05-14"
pubdate
:
"
2022-05-06"
affected_range
:
"
<v0.24.0"
fixed_versions
:
-
"
v0.24.0"
affected_versions
:
"
All
versions
before
0.24.0"
not_impacted
:
"
"
solution
:
"
Upgrade
to
version
0.24.0
or
above."
urls
:
-
"
https://nvd.nist.gov/vuln/detail/CVE-2022-24877"
-
"
https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"
cvss_v2
:
"
AV:N/AC:L/Au:S/C:P/I:P/A:P"
cvss_v3
:
"
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
uuid
:
"
d6acb6ce-1645-4ab9-93ca-62749fd2f6d1"
cwe_ids
:
-
"
CWE-1035"
-
"
CWE-22"
-
"
CWE-937"
versions
:
-
number
:
"
v0.24.0"
commit
:
tags
:
-
"
v0.24.0"
sha
:
"
69a9e9d6bf4666eb02d2367210b29d0a66262580"
timestamp
:
"
20220419121000"
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment