Critical severityNVD Advisory· Published May 6, 2022· Updated Apr 23, 2025
Improper path handling in kustomization files allows path traversal
CVE-2022-24877
Description
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate kustomization.yaml files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/fluxcd/kustomize-controllerGo | < 0.24.0 | 0.24.0 |
github.com/fluxcd/flux2Go | < 0.29.0 | 0.29.0 |
Affected products
11- osv-coords10 versionspkg:apk/chainguard/flux-kustomize-controllerpkg:apk/chainguard/flux-kustomize-controller-bitnami-compatpkg:apk/chainguard/flux-kustomize-controller-iamguarded-compatpkg:apk/wolfi/flux-kustomize-controllerpkg:apk/wolfi/flux-kustomize-controller-bitnami-compatpkg:apk/wolfi/flux-kustomize-controller-iamguarded-compatpkg:bitnami/fluxpkg:bitnami/kustomizepkg:golang/github.com/fluxcd/flux2pkg:golang/github.com/fluxcd/kustomize-controller
< 0+ 9 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.29.0
- (no CPE)range: < 0.24.0
- (no CPE)range: < 0.29.0
- (no CPE)range: < 0.24.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-j77r-2fxf-5jrwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24877ghsaADVISORY
- github.com/fluxcd/kustomize-controllerghsaPACKAGE
- github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrwghsax_refsource_CONFIRMWEB
- github.com/fluxcd/kustomize-controller/commit/f4528fb25d611da94e491346bea056d5c5c3611fghsaWEB
- github.com/fluxcd/pkg/commit/0ec014baf417fd3879d366a45503a548b9267d2aghsaWEB
News mentions
0No linked articles in our index yet.