{"id":"BIT-kustomize-2022-24878","summary":"Improper path handling in Kustomization files allows for denial of service","details":"Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade.","aliases":["BIT-flux-2022-24878","CVE-2022-24878","GHSA-7pwf-jg34-hxwp","GO-2022-0448"],"modified":"2025-12-02T18:27:27.998780Z","published":"2024-03-06T10:55:18.461Z","database_specific":{"severity":"Medium","cpes":["cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24878"}],"affected":[{"package":{"name":"kustomize","ecosystem":"Bitnami","purl":"pkg:bitnami/kustomize"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.24.0"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/kustomize/BIT-kustomize-2022-24878.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}],"schema_version":"1.7.3"}