CVE-2022-24878

Name of the Vulnerable Software and Affected Versions kustomize-controller versions prior to 0.24.0 flux2 versions prior to 0.29.0

Description Flux is an open and extensible continuous delivery solution for Kubernetes. A Path Traversal issue in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. This can lead to multiple tenants not being able to apply their Kustomizations until the malicious kustomization.yaml is removed and the controller restarted. Users with write access to a Flux source can craft a malicious kustomization.yaml file which causes the controller to enter an endless loop.

Recommendations For kustomize-controller versions prior to 0.24.0, upgrade to version 0.24.0 or later. For flux2 versions prior to 0.29.0, upgrade to version 0.29.0 or later. As a temporary workaround, consider using automated tooling in the user's CI/CD pipeline to validate kustomization.yaml files conform with specific policies.