43 matches found
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: crossplane-provider-azure-sql, kubernetes-dashboard, age, kaf, gomplate, slsa-verifier, buildah, act, argo-events, cosign, docker-machine-driver-harvester, gptscript, nuclei, rancher, gatus, zot, cluster-api-azure-controller, grype, kubernetes, cloud-provider-aws,...
CVE-2026-34986 vulnerabilities
Vulnerabilities for packages: fulcio, telegraf, terraform-provider-acme, k3d, task-fips, commercial-chainloop-backend, vault, gatus, goreleaser, seaweedfs-operator, beats-fips, omni-fips, crossplane-provider-gcp-fips, grype-db, ksops, percona-server-mongodb-operator-fips, k3s, falcosidekick,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: crossplane-provider-azure-sql, crossplane-provider-aws-sns, gomplate, gptscript, cluster-api, argo-events, nuclei, terraform-provider-pagerduty, zot, grype, pulumi-language-java, cilium-cli, helm-push, sops, witness, pulumi-language-yaml,...
GHSA-Q9HV-HPM4-HJ6X vulnerabilities
Vulnerabilities for packages: crossplane-provider-azure-sql, crossplane-provider-aws-sns, gomplate, gptscript, cluster-api, argo-events, nuclei, terraform-provider-pagerduty, zot, grype, pulumi-language-java, cilium-cli, helm-push, sops, witness, pulumi-language-yaml,...
CVE-2026-1229 vulnerabilities
Vulnerabilities for packages: crossplane-provider-aws-ec2, flux-fips, crossplane-provider-aws-cloudformation, terraform-provider-azurerm-fips, gomplate-fips, docker, helm, flux-image-automation-controller-fips, tfsec, aactl, cerbos, crossplane-provider-aws-ecr-fips, image-factory, osv-scanner, q,...
BIT-FLUX-2022-24878 Improper path handling in Kustomization files allows for denial of service
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to...
BIT-FLUX-2022-24877 Improper path handling in kustomization files allows path traversal
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
BIT-FLUX-2022-24817 Improper kubeconfig validation allows arbitrary code execution
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also...
EUVD-2022-3043
Malicious code in bioql PyPI...
GHSA-J5PM-7495-QMR3 vulnerabilities
Vulnerabilities for packages: fulcio, grafana-rollout-operator, telegraf, k3d, newrelic-fluent-bit-output, kubernetes-dashboard-metrics-scraper-fips, helm, cloud-provider-azure, cert-exporter, kubernetes-dashboard-api-fips, nfs-subdir-external-provisioner, external-dns-fips, vault, gatus,...
CVE-2022-24877
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
GHSA-32GQ-X56H-299C vulnerabilities
Vulnerabilities for packages: chezmoi, flux-kustomize-controller, ksops, flux-kustomize-controller-fips, age-fips, sops-fips, age, grafana-fips, sops, litestream, grafana...
GO-2022-0260 Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller
Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller...
CVE-2024-35255 vulnerabilities
Vulnerabilities for packages: pulumi, rclone, step, flux, grafana-agent-operator, timestamp-authority, datadog-agent, bank-vaults, tempo, airflow, hugo, trivy, fluent-bit-plugin-loki, cosign, argo-events, nuclei, opentelemetry-collector-contrib, restic, harbor-registry, zot, boring-registry, flyt...
BIT-KUSTOMIZE-2022-24877 Improper path handling in kustomization files allows path traversal
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments...
BIT-KUSTOMIZE-2022-24878 Improper path handling in Kustomization files allows for denial of service
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to...
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: fulcio, k3d, kubernetes-dashboard-metrics-scraper-fips, helm, cert-exporter, nfs-subdir-external-provisioner, osv-scanner, external-dns-fips, goreleaser, kuberay-operator, metrics-server-fips, falco, kwok, k3s, falcosidekick, kube-bench-fips, kubernetes-dns-node-cach...
GHSA-M425-MQ94-257G vulnerabilities
Vulnerabilities for packages: timestamp-authority-fips, k3d, kiam, cluster-autoscaler-fips, terraform-provider-sendgrid, up, prometheus-adapter-fips, aactl, kube-oidc-proxy, src, kubeflow, scorecard, aws-efs-csi-driver-fips, kubernetes-csi-livenessprobe-fips, kubevela, prometheus-blackbox-exporte...
GHSA-QPPJ-FM5R-HXR3 vulnerabilities
Vulnerabilities for packages: kaf, hugo, terraform-provider-sendgrid, gomplate, grpcurl, slsa-verifier, cosign, dgraph, hey, grype, kpt, nginx-stable, nats, pulumi-language-java, coredns, nodetaint, pulumi-language-yaml, ip-masq-agent, kubewatch, prometheus-adapter, metacontroller, aactl, ollama,...
Improper path handling in Kustomization files allows for denial of service
The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted kustomization.yaml to cause Denial of Service at controller level. In multi-tenancy deployments this can lead to multiple...