x/vulndb: potential Go vuln in github.com/fluxcd/flux2: CVE-2022-24878 #448
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2022-24878 references github.com/fluxcd/flux2, which may be a Go module.
Description:
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious
kustomization.yaml
allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to validatekustomization.yaml
files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade.Links:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: