Vulnerabilites related to fluxcd - helm-controller
Vulnerability from fkie_nvd
Published
2022-10-22 00:15
Modified
2024-11-21 07:17
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v | Third Party Advisory | |
| security-advisories@github.com | https://github.com/kubernetes/apimachinery/issues/131 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/kubernetes/apimachinery/issues/131 | Issue Tracking, Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3AA15FCA-BF23-4A33-B5A9-CF1505C01DE0",
"versionEndExcluding": "0.35.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93AE52F3-8925-4E23-A7ED-65CFB92ED9E2",
"versionEndExcluding": "0.24.0",
"versionStartIncluding": "0.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "38162E9C-6889-4D29-82BF-D2C617F88F50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "F5CE9371-54D5-458E-A946-8477944410F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta1:*:*:*:*:*:*",
"matchCriteriaId": "B176EC42-7E4A-4062-8BC8-82193667439B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta2:*:*:*:*:*:*",
"matchCriteriaId": "929AFCA0-4E79-45FD-89B6-F14805C0CA1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta3:*:*:*:*:*:*",
"matchCriteriaId": "3FC1DC45-EE36-4686-98AF-D3A69F766854",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta4:*:*:*:*:*:*",
"matchCriteriaId": "339DB8ED-0634-4D66-9899-475D103F535C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:image-automation-controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0E4844DA-E907-4B64-A26B-CED5711B13B8",
"versionEndExcluding": "0.26.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:image-reflector-controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "19E335B1-AC15-475C-B47C-7F3847340F79",
"versionEndExcluding": "0.22.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "713AC396-2582-410E-9BFE-71E45F532FE1",
"versionEndExcluding": "0.29.0",
"versionStartIncluding": "0.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "63A3589D-D348-4E8B-9DC2-80644036605A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "C9D16141-22FF-4183-8FA0-9B92B9CA62B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "ADA62C3F-F192-41BC-BAD4-3B0F400F3F54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "0B4165A5-17F9-4270-972D-AF1A0581841C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "003F008D-3FC8-4D5D-AF86-BC4CFE14F0F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "87BD8959-4DCC-4763-AA61-5FBB645A5981",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha7:*:*:*:*:*:*",
"matchCriteriaId": "CFB65A9C-8ABC-4759-BAC2-316CFA7E19A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha8:*:*:*:*:*:*",
"matchCriteriaId": "8E6ACF71-8B7B-4D52-B766-2D317F1F6F70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha9:*:*:*:*:*:*",
"matchCriteriaId": "E3B8151F-102D-403B-BA6A-718913749FB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta1:*:*:*:*:*:*",
"matchCriteriaId": "52096A03-1BBD-442A-8D96-2B8A452A8B31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta2:*:*:*:*:*:*",
"matchCriteriaId": "88284DA1-3D54-4430-B1B5-7D05AAF4913D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:notification-controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0F26262-DD44-4FE4-9F47-CE40BFD1DCD3",
"versionEndExcluding": "0.27.0",
"versionStartIncluding": "0.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "5635F7E7-C86E-49D6-AA18-8DCC25286978",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "23DB3103-03EB-4985-B5A3-920BE262AB8D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:notification-controller:0.0.1:beta1:*:*:*:*:*:*",
"matchCriteriaId": "B4C71093-D3A7-4F47-BEE5-4EED9C19C568",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:source-controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "62DEB134-7AED-4EF4-AACB-59F0A4F1B778",
"versionEndExcluding": "0.30.0",
"versionStartIncluding": "0.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "58069EA3-088C-45B0-AFF3-4314C8409CC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "DF8E4FA5-70F1-4705-B3C4-34E18AB9969F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "7E3B1CB6-A1DA-4811-B6AE-C83B2EC7748F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "EB5729D8-66B8-46BD-965E-463BAC5572CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "A04F6D7D-EDBB-441C-B622-6E75E55665D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "92C89BA6-2DD4-4A01-B688-007C1FB72E85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:source-controller:0.0.1:beta1:*:*:*:*:*:*",
"matchCriteriaId": "871AD2C4-932F-4F70-914A-9D53569FF5E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:source-controller:0.0.1:beta2:*:*:*:*:*:*",
"matchCriteriaId": "15A4025F-40CC-4605-A0FD-FA2AA0001332",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux\u2019s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation."
},
{
"lang": "es",
"value": "Flux es una soluci\u00f3n de entrega continua abierta y extensible para Kubernetes. Las versiones anteriores a 0.35.0, est\u00e1n sujetas a una denegaci\u00f3n de servicio. Los usuarios que presentan permisos para cambiar los objetos de Flux, ya sea medainyte una fuente de Flux o directamente dentro de un cl\u00faster, pueden proporcionar datos no v\u00e1lidos a los campos \".spec.interval\" o \".spec.timeout\" (y variaciones estructuradas de estos campos), causando que todo el tipo de objeto deje de ser procesado. Este problema ha sido corregido en versi\u00f3n 0.35.0. Como mitigaci\u00f3n, pueden emplearse controladores de admisi\u00f3n para restringir los valores que pueden usarse para los campos \".spec.interval\" y \".spec.timeout\", aunque la actualizaci\u00f3n a las \u00faltimas versiones sigue siendo la mitigaci\u00f3n recomendada"
}
],
"id": "CVE-2022-39272",
"lastModified": "2024-11-21T07:17:55.753",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-22T00:15:09.310",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/kubernetes/apimachinery/issues/131"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/kubernetes/apimachinery/issues/131"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-07 21:15
Modified
2024-11-21 07:12
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF12F100-CF74-44E7-9CA3-587E32370849",
"versionEndExcluding": "3.9.4",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29EFFD48-5825-4DB2-9D8B-44AE793C41F1",
"versionEndExcluding": "0.32.0",
"versionStartIncluding": "0.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D3138403-4B4C-4C3D-A5BF-816E148A7799",
"versionEndExcluding": "0.23.0",
"versionStartIncluding": "0.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."
},
{
"lang": "es",
"value": "Flux2 es una herramienta para mantener los clusters de Kubernetes sincronizados con las fuentes de configuraci\u00f3n, y el controlador Helm de Flux es un operador de Kubernetes que permite administrar de forma declarativa los lanzamientos de gr\u00e1ficos de Helm. Helm-controller est\u00e1 estrechamente integrado con el SDK de Helm. Una vulnerabilidad encontrada en el SDK de Helm que afecta a flux2 versiones v0.0.17 hasta v0.32.0 y a helm-controller versiones v0.0.4 hasta v0.23.0, permite que determinadas entradas de datos causen un alto consumo de memoria. En algunas plataformas, esto podr\u00eda causar que el controlador entre en p\u00e1nico y deje de procesar las conciliaciones. En un entorno de cl\u00fasteres compartidos con m\u00faltiples inquilinos, un inquilino podr\u00eda crear un HelmRelease que hace que el controlador entre en p\u00e1nico, denegando a todos los dem\u00e1s inquilinos la reconciliaci\u00f3n de sus HelmRelease. Los parches est\u00e1n disponibles en flux2 versi\u00f3n v0.32.0 y helm-controller versi\u00f3n v0.23.0"
}
],
"id": "CVE-2022-36049",
"lastModified": "2024-11-21T07:12:16.093",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-07T21:15:08.483",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-06 00:15
Modified
2024-11-21 06:51
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller’s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| fluxcd | flux2 | * | |
| fluxcd | helm-controller | * | |
| fluxcd | kustomize-controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B093724-43C4-4D99-A3B7-D0BC5680B9AE",
"versionEndExcluding": "0.29.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6A8DB05-A4C1-4E2A-93DA-610265FFC1BF",
"versionEndExcluding": "0.19.0",
"versionStartIncluding": "0.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E49D128E-5A7E-4B2D-85E6-B1643A7ACC04",
"versionEndExcluding": "0.23.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller\u0027s service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller\u2019s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0"
},
{
"lang": "es",
"value": "Flux2 es una soluci\u00f3n de entrega continua abierta y extensible para Kubernetes. Las versiones de Flux2 entre 0.1.0 y 0.29.0, helm-controller versiones 0.1.0 a v0.19.0, y kustomize-controller versiones 0.1.0 a v0.23.0 son vulnerables a la inyecci\u00f3n de c\u00f3digo por medio de un Kubeconfig malicioso. En los despliegues multi-tenancy esto tambi\u00e9n puede conllevar una escalada de privilegios si la cuenta de servicio del controlador presenta permisos elevados. Las mitigaciones incluyen deshabilitar la funcionalidad por medio de los webhooks de Comprobaci\u00f3n de Admisi\u00f3n restringiendo a los usuarios la configuraci\u00f3n del campo \"spec.kubeConfig\" en los objetos Flux \"Kustomization\" y \"HelmRelease\". Las mitigaciones adicionales incluyen la aplicaci\u00f3n de perfiles restrictivos de AppArmor y SELinux en el pod del controlador para limitar los binarios que pueden ejecutarse. Esta vulnerabilidad est\u00e1 corregida en kustomize-controller versi\u00f3n v0.23.0 y helm-controller versi\u00f3n v0.19.0, ambos incluidos en flux2 versi\u00f3n v0.29.0"
}
],
"id": "CVE-2022-24817",
"lastModified": "2024-11-21T06:51:09.863",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-06T00:15:07.637",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2022-24817
Vulnerability from cvelistv5
Published
2022-05-06 00:00
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller’s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.539Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "flux2",
"vendor": "fluxcd",
"versions": [
{
"status": "affected",
"version": "flux2 \u003c v0.29.0 \u003e= v0.1.0"
},
{
"status": "affected",
"version": "helm-controller \u003c v0.23.0 \u003e= v0.1.0"
},
{
"status": "affected",
"version": "kustomize-controller \u003c v0.19.0 \u003e= v0.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller\u0027s service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller\u2019s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-06T00:00:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc"
}
],
"source": {
"advisory": "GHSA-vvmq-fwmg-2gjc",
"discovery": "UNKNOWN"
},
"title": "Improper kubeconfig validation allows arbitrary code execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24817",
"STATE": "PUBLIC",
"TITLE": "Improper kubeconfig validation allows arbitrary code execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "flux2",
"version": {
"version_data": [
{
"version_value": "flux2 \u003c v0.29.0 \u003e= v0.1.0"
},
{
"version_value": "helm-controller \u003c v0.23.0 \u003e= v0.1.0"
},
{
"version_value": "kustomize-controller \u003c v0.19.0 \u003e= v0.2.0"
}
]
}
}
]
},
"vendor_name": "fluxcd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller\u0027s service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller\u2019s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc",
"refsource": "CONFIRM",
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-vvmq-fwmg-2gjc"
}
]
},
"source": {
"advisory": "GHSA-vvmq-fwmg-2gjc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24817",
"datePublished": "2022-05-06T00:00:14",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:20:50.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-36049
Vulnerability from cvelistv5
Published
2022-09-07 20:15
Modified
2024-08-03 09:52
Severity ?
EPSS score ?
Summary
Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3 | x_refsource_CONFIRM | |
| https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh | x_refsource_MISC | |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996 | x_refsource_MISC | |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "flux2",
"vendor": "fluxcd",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.4, \u003c 0.23.0"
},
{
"status": "affected",
"version": "\u003e= 0.0.17, \u003c 0.32.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-07T20:15:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
}
],
"source": {
"advisory": "GHSA-p2g7-xwvr-rrw3",
"discovery": "UNKNOWN"
},
"title": "Flux2 Helm Controller denial of service",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36049",
"STATE": "PUBLIC",
"TITLE": "Flux2 Helm Controller denial of service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "flux2",
"version": {
"version_data": [
{
"version_value": "\u003e= 0.0.4, \u003c 0.23.0"
},
{
"version_value": "\u003e= 0.0.17, \u003c 0.32.0"
}
]
}
}
]
},
"vendor_name": "fluxcd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3",
"refsource": "CONFIRM",
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
},
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
"refsource": "MISC",
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996",
"refsource": "MISC",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
},
{
"name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360",
"refsource": "MISC",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
}
]
},
"source": {
"advisory": "GHSA-p2g7-xwvr-rrw3",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36049",
"datePublished": "2022-09-07T20:15:13",
"dateReserved": "2022-07-15T00:00:00",
"dateUpdated": "2024-08-03T09:52:00.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-39272
Vulnerability from cvelistv5
Published
2022-10-21 00:00
Modified
2024-08-03 12:00
Severity ?
EPSS score ?
Summary
Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/kubernetes/apimachinery/issues/131"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "flux2",
"vendor": "fluxcd",
"versions": [
{
"status": "affected",
"version": "\u003c 0.35.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux\u2019s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284: Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-21T00:00:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v"
},
{
"url": "https://github.com/kubernetes/apimachinery/issues/131"
}
],
"source": {
"advisory": "GHSA-f4p5-x4vc-mh4v",
"discovery": "UNKNOWN"
},
"title": "Flux2 vulnerable to Denial of Service due to Improper use of metav1.Duration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39272",
"datePublished": "2022-10-21T00:00:00",
"dateReserved": "2022-09-02T00:00:00",
"dateUpdated": "2024-08-03T12:00:43.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}