42 matches found
CVE-2026-34986 vulnerabilities
Vulnerabilities for packages: agentbeat, zot, tw, skaffold, podman, skopeo-fips, skopeo, neuvector-scanner-fips, kyverno-fips, spicedb-fips, sqlexporter-fips, cloudflared, bento-fips, keda-fips, dex, harbor-fips, dex-fips, opencost-fips, kubescape-server-fips, syft, tekton-chains-fips, fulcio-fip...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: xeol, crossplane-provider-aws-kinesis, crossplane-provider-aws-ec2, argo-rollouts, crossplane-provider-azure-authorization, grafana-alloy, crossplane-provider-aws-route53, k9s, zot, actions-runner-controller, crossplane-provider-aws-iam,...
GHSA-Q9HV-HPM4-HJ6X vulnerabilities
Vulnerabilities for packages: xeol, crossplane-provider-aws-kinesis, crossplane-provider-aws-ec2, argo-rollouts, crossplane-provider-azure-authorization, grafana-alloy, crossplane-provider-aws-route53, k9s, zot, actions-runner-controller, crossplane-provider-aws-iam,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: flux-source-controller-fips, helm-push, zot, argocd-image-updater, extism, crossplane-provider-aws-kms, trivy-fips, skaffold, omni, boring-registry, rancher-fleet, flux-helm-controller-fips, q, terraform, vcluster, helm-diff-fips, apko,...
BIT-FLUX-2022-24878 Improper path handling in Kustomization files allows for denial of service
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to...
BIT-FLUX-2022-24877 Improper path handling in kustomization files allows path traversal
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
BIT-FLUX-2022-24817 Improper kubeconfig validation allows arbitrary code execution
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also...
EUVD-2022-3043
Malicious code in bioql PyPI...
GHSA-J5PM-7495-QMR3 vulnerabilities
Vulnerabilities for packages: nri-discovery-kubernetes, zot, aws-sigv4-proxy-fips, cilium-certgen, extism, jaeger-operator, minio-object-browser-fips, skaffold, glow, nova-fips, podman, terraform-provider-sendgrid, grafana-rollout-operator, rancher-fleet, kube-logging-operator, ipfs-cluster,...
CVE-2022-24877
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
GHSA-32GQ-X56H-299C vulnerabilities
Vulnerabilities for packages: litestream, sops, ksops, grafana, grafana-fips, flux-kustomize-controller-fips, age, chezmoi, flux-kustomize-controller, sops-fips, age-fips...
GO-2022-0260 Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller
Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller...
CVE-2024-35255 vulnerabilities
Vulnerabilities for packages: druid, falcoctl, flux-kustomize-controller, sops, trino, bank-vaults, flyte, cosign, hugo-extended, opentelemetry-collector, datadog-agent, grafana-mimir, k8sgpt, external-secrets-operator, grafana-agent-operator, flux-image-reflector-controller, step-ca, rook, corte...
BIT-KUSTOMIZE-2022-24877 Improper path handling in kustomization files allows path traversal
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
BIT-KUSTOMIZE-2022-24878 Improper path handling in Kustomization files allows for denial of service
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to...
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: nri-discovery-kubernetes, zot, crossplane-provider-aws-kms, skaffold, terraform-provider-sendgrid, k8ssandra-operator-fips, prometheus-nats-exporter, kube-logging-operator, dynamic-localpv-provisioner-fips, skopeo, helm, crossplane-provider-aws-sqs, ipfs, cloudflared...
GHSA-M425-MQ94-257G vulnerabilities
Vulnerabilities for packages: up, conftest-fips, bank-vaults-fips, src, k3d, prometheus-adapter-fips, slsa-verifier, terraform-provider-sendgrid, dynamic-localpv-provisioner-fips, aws-efs-csi-driver-fips, kube-oidc-proxy, falcoctl-fips, kubeflow-fips, smarter-device-manager-fips,...
GHSA-QPPJ-FM5R-HXR3 vulnerabilities
Vulnerabilities for packages: slsa-verifier, cue, aws-efs-csi-driver, fuse-overlayfs-snapshotter, stakater-reloader, hugo, kubewatch, kots, kubernetes-csi-livenessprobe, secrets-store-csi-driver, scorecard, kaf, nri-prometheus, nats, kubeflow, atlantis, hey, memcached-exporter, ko, spark-operator...
Improper path handling in Kustomization files allows for denial of service
The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted kustomization.yaml to cause Denial of Service at controller level. In multi-tenancy deployments this can lead to multiple...
GHSA-VVMQ-FWMG-2GJC Improper kubeconfig validation allows arbitrary code execution
Flux2 can reconcile the state of a remote cluster when provided with a kubeconfig with the correct access rights. Kubeconfig files can define commands to be executed to generate on-demand authentication tokens. A malicious user with write access to a Flux source or direct access to the target...