Github.Com Fluxcd Flux2 vulnerabilities

CVE-2022-39272 [MEDIUM] CWE-20 Improper use of metav1.Duration allows for Denial of Service Improper use of metav1.Duration allows for Denial of Service Flux controllers within the affected versions range are vulnerable to a denial of service attack. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire

CVE-2022-36049 [HIGH] CWE-400 Helm Controller denial of service Helm Controller denial of service Helm controller is tightly integrated with the Helm SDK. [A vulnerability](https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh) found in the Helm SDK allows for specific data inputs to cause high memory consumption, which in some platforms could cause the controller to panic and stop processing reconciliations. ### Impact In a shared cluster multi-tenancy environment, a tenant cou

CVE-2022-36035 [HIGH] CWE-22 Flux CLI Workload Injection Flux CLI Workload Injection Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of user-supplied input, which results in a path traversal that can be controlled by the attacker.

CVE-2022-24878 [HIGH] CWE-674 Improper path handling in Kustomization files allows for denial of service Improper path handling in Kustomization files allows for denial of service The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted `kustomization.yaml` to cause Denial of Service at controller level. In multi-tenancy deployments this can lead to multiple tenants not being ab

CVE-2022-24817 [CRITICAL] CWE-94 Improper kubeconfig validation allows arbitrary code execution Improper kubeconfig validation allows arbitrary code execution Flux2 can reconcile the state of a remote cluster when provided with a [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#file-references) with the correct access rights. `Kubeconfig` files can define [commands](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-g

CVE-2022-24877 [CRITICAL] CWE-22 Improper path handling in kustomization files allows path traversal Improper path handling in kustomization files allows path traversal The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use built-in features and a specially crafted `kustomization.yaml` to expose sensitive data from the controller’s pod filesystem. In multi-tenancy deployments this can lead to priv