High severityNVD Advisory· Published May 6, 2022· Updated Apr 23, 2025
Improper path handling in Kustomization files allows for denial of service
CVE-2022-24878
Description
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to validate kustomization.yaml files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/fluxcd/kustomize-controllerGo | >= 0.16.0, < 0.24.0 | 0.24.0 |
github.com/fluxcd/flux2Go | >= 0.19.0, < 0.29.0 | 0.29.0 |
Affected products
5- osv-coords4 versionspkg:bitnami/fluxpkg:bitnami/kustomizepkg:golang/github.com/fluxcd/flux2pkg:golang/github.com/fluxcd/kustomize-controller
< 0.29.0+ 3 more
- (no CPE)range: < 0.29.0
- (no CPE)range: < 0.24.0
- (no CPE)range: >= 0.19.0, < 0.29.0
- (no CPE)range: >= 0.16.0, < 0.24.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-7pwf-jg34-hxwpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24878ghsaADVISORY
- github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.