CVE-2022-39272

The CVE affects Flux (Flux2) prior to version 0.35.0. A DoS can occur when users with permissions to modify Flux objects provide invalid data to fields .spec.interval or .spec.timeout (and variations), causing the affected object type to stop being processed. The issue is tied to two root causes:...

CVE-2022-24877

CVE-2022-24877 affects Flux/Open source Flux CD components: path traversal in the kustomize-controller triggered by a crafted kustomization.yaml, enabling exposure of sensitive data from the controller pod filesystem and potentially privilege escalation in multi-tenant deployments. The issue is m...

CVE-2022-24878

CVE-2022-24878 describes a path-traversal vulnerability in Flux’s kustomize-controller. A malicious kustomization.yaml can cause the kustomize-controller to enter a denial-of-service condition at the controller level. The issue arises from improper handling of paths in Kustomization processing. T...

CVE-2022-24817

The CVE-2022-24817 entry applies to Flux2 components: Flux2 itself (versions 0.1.0–0.29.0), helm-controller (0.1.0–v0.19.0), and kustomize-controller (0.1.0–v0.23.0). The root cause is Code Injection via malicious kubeconfig, enabling arbitrary code execution; in multi-tenant deployments it can a...

CVE-2021-41254

CVE-2021-41254 affects the Flux CD kustomize-controller, allowing authenticated users who can create Secrets, Service Accounts, and Flux Kustomization objects to have the controller execute shell commands inside its container via embedded Secrets. This enables running kubectl under the controller...