CVE-2022-24877: 
Flux Kustomize Controller vulnerability analysis and mitigation

Flux, an open and extensible continuous delivery solution for Kubernetes, was found to contain a critical path traversal vulnerability (CVE-2022-24877) in its kustomize-controller component. The vulnerability was discovered in early 2022 and affects versions prior to v0.29.0. The issue allows attackers to exploit malicious kustomization.yaml files to expose sensitive data from the controller's pod filesystem (GitHub Advisory, CVE Mitre).

The vulnerability stems from improper path handling in Kustomization files within the kustomize-controller component. The issue allows attackers to leverage built-in features through a specially crafted kustomization.yaml file to access sensitive data outside the intended filesystem scope. The vulnerability has been assigned a Critical severity rating with a CVSS v3.1 score of 10.0, indicating the highest level of severity. The attack vector is network-based, requires low complexity and privileges, and can result in a scope change with high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability's impact is particularly severe in multi-tenancy deployments where the controller's service account has elevated permissions. Users with write access to a Flux source can potentially expose sensitive data from the controller's pod filesystem, leading to privilege escalation in multi-tenant environments. This could result in unauthorized access to sensitive information and potential system compromise (GitHub Advisory, Kubernetes Discussion).

The vulnerability was patched in kustomize-controller v0.24.0 and included in flux2 v0.29.0, released on April 20, 2022. The fix introduces a new Kustomize file system implementation that ensures all handled files are contained within the Kustomization working directory. For users unable to update immediately, a recommended workaround includes implementing automated tooling (such as conftest) in CI/CD pipelines to validate kustomization.yaml files against specific security policies (GitHub Advisory).