CVE-2022-36035Path Traversal in Flux2

CWE-22Path Traversal5 documents4 sources
Severity
7.8HIGHNVD
CNA7.7
EPSS
0.1%
top 71.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fluxcd Flux2Github.com Fluxcd Flux2
Timeline
PublishedAug 31
Latest updateAug 21

Description

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5fluxcd/flux2< 0.32.0, >= 0.21.0
NVDfluxcd/flux20.21.00.32.0
Gogithub.com/fluxcd_flux20.21.00.32.0

🔴Vulnerability Details

4
OSV
Flux CLI Workload Injection in github.com/fluxcd/flux22024-08-21
OSV
Flux CLI Workload Injection2022-09-01
GHSA
Flux CLI Workload Injection2022-09-01
CVEList
Flux CLI Workload Injection2022-08-31
CVE-2022-36035 — Path Traversal in Fluxcd Flux2 | cvebase