CVE-2022-36035

Name of the Vulnerable Software and Affected Versions Flux (affected versions not specified)

Description The issue is related to the improper handling of user-supplied input in the Flux CLI, which results in a path traversal that can be controlled by the attacker. This allows other applications to replace the Flux deployment information with arbitrary content, which is then deployed into the target Kubernetes cluster. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this issue. In some scenarios, no errors may be presented, which may cause end users not to realize that something is amiss.

Recommendations As a temporary workaround, consider executing Flux CLI in ephemeral and isolated shell environments to ensure no persistent values exist from previous processes. Upgrading to the latest version of the CLI is still the recommended mitigation strategy.