VYPR
Critical severityNVD Advisory· Published May 6, 2022· Updated Apr 23, 2025

Improper path handling in kustomization files allows path traversal

CVE-2022-24877

Description

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate kustomization.yaml files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/fluxcd/kustomize-controllerGo
< 0.24.00.24.0
github.com/fluxcd/flux2Go
< 0.29.00.29.0

Affected products

11

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.