43 matches found
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: rootlesskit, neuvector-sigstore-interface, wolfictl, nerdctl, terragrunt, zot, pulumi-language-dotnet, nuclei, cilium-cli, mods, step-issuer, chezmoi, cilium, glab, splunk-otel-collector, gh, nfpm, opentelemetry-collector, snyk-cli, falcoctl, kubescape, flux-operator...
CVE-2026-34986 vulnerabilities
Vulnerabilities for packages: chainloop-cli-fips, cerbos-fips, sftpgo, cert-manager-istio-csr-fips, gomplate, chainloop-artifact-cas, kyverno-fips, buildah-fips, opencost, step-kms-plugin-fips, trufflehog-fips, containerd-fips, teleport, caddy-fips, gitlab-kas, authentik-fips, conftest,...
GHSA-Q9HV-HPM4-HJ6X vulnerabilities
Vulnerabilities for packages: extism, wolfictl, terragrunt, zot, pulumi-language-dotnet, nuclei, flux-helm-controller, cilium-cli, gitaly, crossplane-provider-aws-dynamodb, crossplane-provider-aws-lambda, nfpm, boring-registry, crossplane-provider-aws-sns, snyk-cli, goreleaser, kubescape,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: extism, wolfictl, terragrunt, zot, pulumi-language-dotnet, nuclei, flux-helm-controller, cilium-cli, gitaly, crossplane-provider-aws-dynamodb, crossplane-provider-aws-lambda, nfpm, boring-registry, crossplane-provider-aws-sns, snyk-cli, goreleaser, kubescape,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: crossplane-provider-aws-ecr-fips, crossplane-provider-keycloak, crossplane-provider-aws-cloudfront-fips, cerbos-fips, helm-diff, crossplane-provider-aws-kms-fips, rclone-fips, cert-manager-cmctl, gitea, terraform-provider-azurerm-fips,...
BIT-FLUX-2022-24878 Improper path handling in Kustomization files allows for denial of service
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to...
BIT-FLUX-2022-24877 Improper path handling in kustomization files allows path traversal
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
BIT-FLUX-2022-24817 Improper kubeconfig validation allows arbitrary code execution
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also...
EUVD-2022-3043
Malicious code in bioql PyPI...
GHSA-J5PM-7495-QMR3 vulnerabilities
Vulnerabilities for packages: kube-conformance, ytt, kubernetes-csi-external-provisioner-fips, cerbos-fips, helm-operator-fips, helm-set-status, cass-operator-fips-no-pvc-delete, gitea, rqlite-fips, gomplate, kyverno-fips, mcp-grafana-fips, trust-manager, step-kms-plugin-fips, trufflehog-fips,...
CVE-2022-24877
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
GHSA-32GQ-X56H-299C vulnerabilities
Vulnerabilities for packages: sops, chezmoi, flux-kustomize-controller-fips, ksops, age-fips, sops-fips, grafana, age, flux-kustomize-controller, grafana-fips, litestream...
GO-2022-0260 Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller
Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller...
CVE-2024-35255 vulnerabilities
Vulnerabilities for packages: buildkitd, zarf, sqlpad, flux, rook, sigstore-scaffolding, guac, timestamp-authority, prometheus-operator, terragrunt, py3-cassandra-medusa, fluent-bit-plugin-loki, pulumi, fulcio, zot, velero, nuclei, restic, datadog-agent, cluster-autoscaler,...
BIT-KUSTOMIZE-2022-24877 Improper path handling in kustomization files allows path traversal
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
BIT-KUSTOMIZE-2022-24878 Improper path handling in Kustomization files allows for denial of service
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to...
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: helm-operator-fips, nfs-subdir-external-provisioner-fips, cass-operator-fips-no-pvc-delete, gomplate, crossplane-provider-aws-kms, trust-manager, kube-rbac-proxy-fips, prometheus-node-exporter, osv-scanner, caddy-fips, flux-image-automation-controller,...
GHSA-M425-MQ94-257G vulnerabilities
Vulnerabilities for packages: prometheus-blackbox-exporter, kiam, cortex, terraform-provider-sendgrid-fips, dynamic-localpv-provisioner-fips, src, conftest-fips, kubescape, prometheus-adapter-fips, k3d, prometheus-stackdriver-exporter, slsa-verifier, buildkitd, kubeflow, vault-csi-provider,...
GHSA-QPPJ-FM5R-HXR3 vulnerabilities
Vulnerabilities for packages: grpcurl, frp, kubewatch, pulumi-language-dotnet, flux-helm-controller, metacontroller, ip-masq-agent, gobuster, terraform-provider-sendgrid, kind, memcached-exporter, prometheus-adapter, rqlite, fuse-overlayfs-snapshotter, src, kubescape, cortex, metrics-server,...
Improper path handling in Kustomization files allows for denial of service
The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted kustomization.yaml to cause Denial of Service at controller level. In multi-tenancy deployments this can lead to multiple...