Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HFluxcd Flux2
APPFluxcd< 0.29.0Fluxcd Kustomize Controller
APPFluxcd< 0.24.0
Related vulnerabilities
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and ...
Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-control...
Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), ...
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-co...
kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infras...