CVE-2022-39272

The CVE affects Flux (Flux2) prior to version 0.35.0. A DoS can occur when users with permissions to modify Flux objects provide invalid data to fields .spec.interval or .spec.timeout (and variations), causing the affected object type to stop being processed. The issue is tied to two root causes:...

CVE-2022-36049

Summary: CVE-2022-36049 affects Flux2 and its helm-controller. A defect in the Helm SDK allows crafted data inputs to trigger abnormally high memory usage, potentially causing the controller to panic and halt reconciliations in multi-tenant clusters. Affected versions: Flux2 v0.0.17 through v0.32...

CVE-2022-24817

The CVE-2022-24817 entry applies to Flux2 components: Flux2 itself (versions 0.1.0–0.29.0), helm-controller (0.1.0–v0.19.0), and kustomize-controller (0.1.0–v0.23.0). The root cause is Code Injection via malicious kubeconfig, enabling arbitrary code execution; in multi-tenant deployments it can a...