CVE-2022-24817

Name of the Vulnerable Software and Affected Versions Flux2 versions 0.1.0 through 0.29.0 helm-controller versions 0.1.0 through 0.19.0 kustomize-controller versions 0.1.0 through 0.23.0

Description The issue concerns code injection via malicious Kubeconfig files, potentially leading to privilege escalation in multi-tenancy deployments if the controller's service account has elevated permissions. A malicious user with write access to a Flux source or direct access to the target cluster could craft a Kubeconfig to execute arbitrary code inside the controller's container. The vulnerability requires specific permissions, including direct access to the cluster to create or modify Flux objects and Kubernetes Secrets, or access rights to make changes to a configured Flux Source.

Recommendations For Flux2 versions 0.1.0 through 0.28.0, consider disabling functionality via Validating Admission webhooks by restricting users from setting the spec.kubeConfig field in Flux Kustomization and HelmRelease objects. For helm-controller versions 0.1.0 through 0.18.0, apply restrictive AppArmor and SELinux profiles on the controller's pod to limit what binaries can be executed. For kustomize-controller versions 0.1.0 through 0.22.0, apply the same mitigation as for helm-controller. Update to Flux2 version 0.29.0, which includes the fixed helm-controller v0.19.0 and kustomize-controller v0.23.0, to resolve the issue.