CVE-2022-24877

Name of the Vulnerable Software and Affected Versions kustomize-controller versions prior to 0.24.0 flux2 versions prior to 0.29.0

Description The issue concerns a Path Traversal vulnerability in the kustomize-controller via a malicious kustomization.yaml file, allowing an attacker to expose sensitive data from the controller's pod filesystem and possibly leading to privilege escalation in multi-tenancy deployments. This can occur when a user with write access to a Flux source uses built-in features to expose sensitive data. The vulnerability can be mitigated by using automated tooling in the user's CI/CD pipeline to validate kustomization.yaml files against specific policies.

Recommendations For kustomize-controller versions prior to 0.24.0, update to version 0.24.0 or later. For flux2 versions prior to 0.29.0, update to version 0.29.0 or later. As a temporary workaround, consider using automated tooling, such as conftest, in the CI/CD pipeline to ensure kustomization.yaml files conform to specific policies and block access to sensitive path locations.