CVE-2022-24878

HIGH7.7EPSS 0.31%

Improper path handling in Kustomization files allows for denial of service

Published: 5/20/2022Modified: 12/2/2025

Also known as:GHSA-7pwf-jg34-hxwpBIT-flux-2022-24878BIT-kustomize-2022-24878GO-2022-0448

Description

The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted `kustomization.yaml` to cause Denial of Service at controller level. In multi-tenancy deployments this can lead to multiple tenants not being able to apply their Kustomizations until the malicious `kustomization.yaml` is removed and the controller restarted. ### Impact Within the affected versions, users with write access to a Flux source are able to craft a malicious `kustomization.yaml` file which causes the controller to enter an endless loop. ### Patches This vulnerability was fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0 released on 2022-04-20. The changes introduce better handling of Kustomization files blocking references that could lead to endless loops. ### Credits The Flux engineering team found and patched this vulnerability. ### For more information If you have any questions or comments about this advisory please open an issue in the [flux2 repository](http://github.com/fluxcd/flux2).

Affected packages (6)

Bitnami/fluxfrom 0, < 0.29.0
Bitnami/kustomizefrom 0, < 0.24.0
Go/github.com/fluxcd/flux2>= 0.19.0, < 0.29.0
Go/github.com/fluxcd/flux2>= 0.19.0, < 0.29.0
Go/github.com/fluxcd/kustomize-controller>= 0.16.0, < 0.24.0
Go/github.com/fluxcd/kustomize-controller>= 0.16.0, < 0.24.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Description

Affected packages (6)

CVSS scores

References (3)