CVE-2022-24817 — Code Injection in Fluxcd Flux2

CWE-94 — Code Injection4 documents4 sources

Severity

9.9CRITICALNVD

EPSS

0.4%

top 40.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Fluxcd Flux2 Github.com Fluxcd Helm-controller Github.com Fluxcd Kustomize-controller +3 more

Timeline

PublishedMay 6

Latest updateMay 16

Description

Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting t…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages7 packages

▶NVDfluxcd/helm-controller0.2.0 — 0.19.0

▶NVDfluxcd/kustomize-controller0.1.0 — 0.23.0

▶Gogithub.com/fluxcd_helm-controller0.2.0 — 0.19.0

▶Gogithub.com/fluxcd_kustomize-controller0.1.0 — 0.23.0

▶NVDfluxcd/flux20.1.0 — 0.29.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Improper kubeconfig validation allows arbitrary code execution↗2022-05-16

▶

OSV

Improper kubeconfig validation allows arbitrary code execution↗2022-05-16

▶

CVEList

Improper kubeconfig validation allows arbitrary code execution↗2022-05-06

▶