Github.Com Fluxcd Kustomize-Controller vulnerabilities

5 known vulnerabilities affecting github.com/fluxcd_kustomize-controller.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2022-39272MEDIUM≥ 0.0.1-alpha-1, < 0.29.02022-10-19
CVE-2022-39272 [MEDIUM] CWE-20 Improper use of metav1.Duration allows for Denial of Service Improper use of metav1.Duration allows for Denial of Service Flux controllers within the affected versions range are vulnerable to a denial of service attack. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire
ghsaosv
CVE-2022-24878HIGH≥ 0.16.0, < 0.24.02022-05-20
CVE-2022-24878 [HIGH] CWE-674 Improper path handling in Kustomization files allows for denial of service Improper path handling in Kustomization files allows for denial of service The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted `kustomization.yaml` to cause Denial of Service at controller level. In multi-tenancy deployments this can lead to multiple tenants not being ab
ghsaosv
CVE-2022-24817CRITICAL≥ 0.1.0, < 0.23.02022-05-16
CVE-2022-24817 [CRITICAL] CWE-94 Improper kubeconfig validation allows arbitrary code execution Improper kubeconfig validation allows arbitrary code execution Flux2 can reconcile the state of a remote cluster when provided with a [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#file-references) with the correct access rights. `Kubeconfig` files can define [commands](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-g
ghsaosv
CVE-2022-24877CRITICAL≥ 0, < 0.24.02022-05-04
CVE-2022-24877 [CRITICAL] CWE-22 Improper path handling in kustomization files allows path traversal Improper path handling in kustomization files allows path traversal The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use built-in features and a specially crafted `kustomization.yaml` to expose sensitive data from the controller’s pod filesystem. In multi-tenancy deployments this can lead to priv
ghsaosv
CVE-2021-41254HIGH≥ 0, < 0.15.02021-11-15
CVE-2021-41254 [HIGH] CWE-78 Privilege escalation to cluster admin on multi-tenant environments Privilege escalation to cluster admin on multi-tenant environments Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kub
ghsaosv