CRITICAL🇵🇱 Wersja polska

CVE-2022-24817

CVSS 9.9v3.1pub. 2022-05-06upd. 2024-11-21

Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller’s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Fluxcd Flux2

    APP
    Fluxcd
    0.1.0 – 0.29.0 (bez)
  • Fluxcd Helm Controller

    APP
    Fluxcd
    0.2.0 – 0.19.0 (bez)
  • Fluxcd Kustomize Controller

    APP
    Fluxcd
    0.1.0 – 0.23.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPEContainer
CWE
References

Related vulnerabilities

CVE-2022-24877CRITICAL9.9ten sam produkt

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-co...

CVE-2022-36049HIGH7.7ten sam produkt

Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-control...

CVE-2022-36035HIGH7.7ten sam produkt

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), ...

CVE-2022-24878HIGH7.7ten sam produkt

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-co...

CVE-2021-41254HIGH8.8ten sam produkt

kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infras...