CVE-2022-24878: 
Flux Kustomize Controller vulnerability analysis and mitigation

Flux is an open and extensible continuous delivery solution for Kubernetes. The vulnerability (CVE-2022-24878) involves a Path Traversal issue in the kustomize-controller that can be exploited through a malicious kustomization.yaml file, potentially causing a Denial of Service at the controller level. The vulnerability affects versions prior to kustomize-controller v0.24.0 and flux2 v0.29.0 (Flux Advisory).

The vulnerability is classified as High severity with a CVSS v3.1 base score of 7.7. The attack vector is Network-based with Low attack complexity and requires Low privileges with No user interaction. The vulnerability has a Changed scope impact, with No impact on Confidentiality and Integrity, but High impact on Availability. The issue is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD, GitHub Advisory).

In multi-tenancy deployments, this vulnerability can lead to multiple tenants being unable to apply their Kustomizations until the malicious kustomization.yaml is removed and the controller is restarted. A malicious user with write access to a Flux source can craft a specially designed kustomization.yaml file that causes the controller to enter an endless loop, effectively creating a denial of service condition (GitHub Advisory).

The vulnerability has been fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are strongly recommended to upgrade to these versions or newer. As a workaround, automated tooling can be implemented in the user's CI/CD pipeline to validate that kustomization.yaml files conform with specific policies (NVD).

The Flux Security Team disclosed this vulnerability along with two other security issues in May 2022. The community response led to improved security measures and documentation around multi-tenancy deployments. The Flux team has been actively engaging with the CNCF TAG Security for independent security review and recommendations, particularly around multi-tenancy implementations (Flux Advisory).