Pjbgf

**Name of the Vulnerable Software and Affected Versions** Weave GitOps versions prior to v0.12.0 **Description** The communication between GitOps Run and the local S3 bucket is not encrypted, allowing privileged users or processes to tap the local traffic and gain information permitting access to the S3 bucket. This could result in changes to the bucket content, leading to modifications in the Kubernetes cluster's resources. There are no known workarounds for this issue. **Recommendations** For Weave GitOps versions prior to v0.12.0, upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022. As a temporary workaround, consider restricting access to the local S3 bucket to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Flux (affected versions not specified) **Description** The issue is related to the improper handling of user-supplied input in the Flux CLI, which results in a path traversal that can be controlled by the attacker. This allows other applications to replace the Flux deployment information with arbitrary content, which is then deployed into the target Kubernetes cluster. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this issue. In some scenarios, no errors may be presented, which may cause end users not to realize that something is amiss. **Recommendations** As a temporary workaround, consider executing Flux CLI in ephemeral and isolated shell environments to ensure no persistent values exist from previous processes. Upgrading to the latest version of the CLI is still the recommended mitigation strategy.

**Name of the Vulnerable Software and Affected Versions** GitOps Tools Extension for VSCode (affected versions not specified) **Description** A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using the VSCode extension to manage clusters that are shared amongst other users are affected by this issue. **Recommendations** Update to the latest version of the GitOps Tools Extension for VSCode.

**Name of the Vulnerable Software and Affected Versions** GitOps Tools Extension for VSCode (affected versions not specified) **Description** The GitOps Tools Extension for VSCode is affected by an issue where a specially crafted kubeconfig can lead to arbitrary code execution on behalf of the user running VSCode. This issue is specific to the extension and does not affect the use of kubeconfig with kubectl. Users who rely on kubeconfigs generated or altered by other processes or users are at risk. Using only trustworthy kubeconfigs is a safe mitigation. **Recommendations** Update to the latest version of the GitOps Tools Extension for VSCode. As a temporary workaround, consider using only trustworthy kubeconfigs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Flux2 versions 0.1.0 through 0.29.0 helm-controller versions 0.1.0 through 0.19.0 kustomize-controller versions 0.1.0 through 0.23.0 **Description** The issue concerns code injection via malicious Kubeconfig files, potentially leading to privilege escalation in multi-tenancy deployments if the controller's service account has elevated permissions. A malicious user with write access to a Flux source or direct access to the target cluster could craft a Kubeconfig to execute arbitrary code inside the controller's container. The vulnerability requires specific permissions, including direct access to the cluster to create or modify Flux objects and Kubernetes Secrets, or access rights to make changes to a configured Flux Source. **Recommendations** For Flux2 versions 0.1.0 through 0.28.0, consider disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. For helm-controller versions 0.1.0 through 0.18.0, apply restrictive AppArmor and SELinux profiles on the controller's pod to limit what binaries can be executed. For kustomize-controller versions 0.1.0 through 0.22.0, apply the same mitigation as for helm-controller. Update to Flux2 version 0.29.0, which includes the fixed helm-controller v0.19.0 and kustomize-controller v0.23.0, to resolve the issue.