Uncontrolled Recursion Affecting github.com/fluxcd/kustomize-controller package, versions <0.24.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.08% (36th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMFLUXCDKUSTOMIZECONTROLLER-2808857
  • published6 May 2022
  • disclosed6 May 2022
  • credithiddeco

Introduced: 6 May 2022

CVE-2022-24878  (opens in a new tab)
CWE-674  (opens in a new tab)

How to fix?

Upgrade github.com/fluxcd/kustomize-controller to version 0.24.0 or higher.

Overview

github.com/fluxcd/kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize.

Affected versions of this package are vulnerable to Uncontrolled Recursion where a malicious user can use a specially crafted kustomization.yaml at controller level.

CVSS Base Scores

version 3.1