42 matches found
CVE-2026-34986 vulnerabilities
Vulnerabilities for packages: gitlab-kas, minio-fips, hydra, boring-registry-fips, openbao, chainloop-control-plane-fips, ko-fips, cloudbeat, flux-kustomize-controller, cluster-api-aws-controller-fips, envconsul-fips, keda, trillian, thanos, containerd-fips, tekton-pipelines-fips, k3d, gotrue,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: terraform-provider-pagerduty, q, gitea, zarf, cerbos, gitaly, flux-source-controller, crossplane-provider-aws-cloudwatchlogs, extism, rancher-fleet, grafana, k9s, pulumi-language-dotnet, flux-kustomize-controller, crossplane-provider-azure-sql, nuclei, pulumi,...
GHSA-Q9HV-HPM4-HJ6X vulnerabilities
Vulnerabilities for packages: terraform-provider-pagerduty, q, gitea, zarf, cerbos, gitaly, flux-source-controller, crossplane-provider-aws-cloudwatchlogs, extism, rancher-fleet, grafana, k9s, pulumi-language-dotnet, flux-kustomize-controller, crossplane-provider-azure-sql, nuclei, pulumi,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: wolfictl, sops, kubescape, crossplane-provider-aws-lambda-fips, hydra, boring-registry-fips, crossplane-provider-aws-lambda, kyverno-notation-aws, terraform-provider-databricks-fips, nuclei, zot, omni, openbao, grype-db, crossplane-provider-aws-memorydb, syft-fips,...
BIT-FLUX-2022-24878 Improper path handling in Kustomization files allows for denial of service
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to...
BIT-FLUX-2022-24877 Improper path handling in kustomization files allows path traversal
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
BIT-FLUX-2022-24817 Improper kubeconfig validation allows arbitrary code execution
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also...
EUVD-2022-3043
Malicious code in bioql PyPI...
GHSA-J5PM-7495-QMR3 vulnerabilities
Vulnerabilities for packages: gitlab-kas, jaeger-operator-fips, minio-fips, hydra, kubernetes-dashboard-metrics-scraper, cert-exporter, mods, db-operator, promxy, kubernetes-csi-external-provisioner-fips, nri-mysql, kiam, kapp-controller-fips, conjur-cli, docker-machine-driver-harvester,...
CVE-2022-24877
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
GHSA-32GQ-X56H-299C vulnerabilities
Vulnerabilities for packages: sops-fips, grafana-fips, sops, grafana, chezmoi, ksops, flux-kustomize-controller-fips, flux-kustomize-controller, age, litestream, age-fips...
GO-2022-0260 Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller
Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller...
CVE-2024-35255 vulnerabilities
Vulnerabilities for packages: fluent-bit-plugin-loki, zot, trino, trivy, grafana-agent-operator, rclone, cortex, flux-image-reflector-controller, rekor, fulcio, zarf, hugo-extended, external-dns, opentelemetry-collector, teleport, flux-source-controller, guac, flyte, velero, py3-cassandra-medusa,...
BIT-KUSTOMIZE-2022-24877 Improper path handling in kustomization files allows path traversal
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
BIT-KUSTOMIZE-2022-24878 Improper path handling in Kustomization files allows for denial of service
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to...
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: minio-fips, ctop, vault-k8s-fips, boring-registry-fips, kubernetes-dashboard-metrics-scraper, cert-exporter, spark-operator, kiam, crossplane-provider-aws-route53, flux-kustomize-controller, kubernetes, kubernetes-csi-external-resizer, trillian,...
GHSA-M425-MQ94-257G vulnerabilities
Vulnerabilities for packages: ipfs, kubescape, terraform-provider-sendgrid, falco, vault-csi-provider, src, buildkitd, prometheus-adapter-fips, terraform-provider-sendgrid-fips, cluster-autoscaler-fips, spark-operator, kiam, kubevela, up, kube-oidc-proxy, dgraph, dynamic-localpv-provisioner-fips,...
GHSA-QPPJ-FM5R-HXR3 vulnerabilities
Vulnerabilities for packages: spark-operator, grpcurl, flux-source-controller, frp, nodetaint, pulumi-language-dotnet, flux-kustomize-controller, pulumi, kubescape, kubeflow, gobuster, nghttp2, cosign, bom, skaffold, external-dns, dex, cue, prometheus-adapter, hey, nginx-mainline, ko, nginx-stabl...
Improper path handling in Kustomization files allows for denial of service
The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted kustomization.yaml to cause Denial of Service at controller level. In multi-tenancy deployments this can lead to multiple...
GHSA-VVMQ-FWMG-2GJC Improper kubeconfig validation allows arbitrary code execution
Flux2 can reconcile the state of a remote cluster when provided with a kubeconfig with the correct access rights. Kubeconfig files can define commands to be executed to generate on-demand authentication tokens. A malicious user with write access to a Flux source or direct access to the target...