{"id":"BIT-kustomize-2022-24877","summary":"Improper path handling in kustomization files allows path traversal","details":"Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.","aliases":["BIT-flux-2022-24877","CVE-2022-24877","GHSA-j77r-2fxf-5jrw","GO-2022-0447"],"modified":"2025-12-02T18:27:39.386214Z","published":"2024-03-06T10:55:31.201Z","database_specific":{"severity":"High","cpes":["cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24877"}],"affected":[{"package":{"name":"kustomize","ecosystem":"Bitnami","purl":"pkg:bitnami/kustomize"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.24.0"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/kustomize/BIT-kustomize-2022-24877.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}],"schema_version":"1.7.3"}