CVE-2022-24877 : Flux is an open and extensible continuous delivery solution for Kubernetes. Path

Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.

Published 2022-05-06 01:15:09

Updated 2024-02-08 02:06:59

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Directory traversalGain privilege

Products affected by CVE-2022-24877

Fluxcd » Kustomize-controller
Versions before (<) 0.24.0
cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*
Matching versions
Fluxcd » Flux2
Versions before (<) 0.29.0
cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-24877

EPSS FAQ

0.51%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 65 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-24877

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.9	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	3.1	6.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-24877

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
CWE-36 Absolute Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2022-24877

https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw

Improper path handling in Kustomization files allows path traversal · Advisory · fluxcd/flux2 · GitHub
Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-24877

Products affected by CVE-2022-24877

Exploit prediction scoring system (EPSS) score for CVE-2022-24877

CVSS scores for CVE-2022-24877

CWE ids for CVE-2022-24877

References for CVE-2022-24877