CVE-2021-41254OS Command Injection in Kustomize-controller

CWE-78OS Command Injection5 documents4 sources
Severity
8.8HIGHNVD
EPSS
1.3%
top 20.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fluxcd Kustomize-controllerGithub.com Fluxcd Kustomize-controller
Timeline
PublishedNov 12
Latest updateAug 21

Description

kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5fluxcd/kustomize-controller< 0.15.0

🔴Vulnerability Details

4
OSV
Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller2024-08-21
OSV
Privilege escalation to cluster admin on multi-tenant environments2021-11-15
GHSA
Privilege escalation to cluster admin on multi-tenant environments2021-11-15
CVEList
Privilege escalation to cluster admin on multi-tenant environments2021-11-12
CVE-2021-41254 — OS Command Injection | cvebase