x/vulndb: potential Go vuln in github.com/fluxcd/flux2: CVE-2022-24877

[GoVulnBot]

CVE-2022-24877 references github.com/fluxcd/flux2, which may be a Go module.

Description:
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious kustomization.yaml allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate kustomization.yaml files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.

Links:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-24877
• JSON: https://github.com/CVEProject/cvelist/tree/6b537112bc76d81e0210051c5591a45447f2b12f/2022/24xxx/CVE-2022-24877.json
• GHSA-j77r-2fxf-5jrw

See doc/triage.md for instructions on how to triage this report.

module: github.com/fluxcd/flux2
package: flux2
description: |
    Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0.
cves:
  - CVE-2022-24877
links:
    context:
      - https://github.com/fluxcd/flux2/security/advisories/GHSA-j77r-2fxf-5jrw

[neild]

Vulnerability in tool.

[gopherbot]

Change https://go.dev/cl/592768 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607218 mentions this issue: data/reports: unexclude 20 reports (16)