Arbitrary Code Injection Affecting github.com/fluxcd/kustomize-controller package, versions <0.23.0


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMFLUXCDKUSTOMIZECONTROLLER-2808859
  • published6 May 2022
  • disclosed6 May 2022
  • creditpjbgf

Introduced: 6 May 2022

CVE-2022-24817  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade github.com/fluxcd/kustomize-controller to version 0.23.0 or higher.

Overview

github.com/fluxcd/kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize.

Affected versions of this package are vulnerable to Arbitrary Code Injection via a malicious Kubeconfig. In multi-tenancy deployments, this can also lead to privilege escalation if the controller's service account has elevated permissions. Note: Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the spec.kubeConfig field in Flux Kustomization and HelmRelease objects.

CVSS Base Scores

version 3.1