CVE-2022-36035

EPSS 0.1%
Veröffentlicht 31.08.2022 15:15:08
Zuletzt bearbeitet 21.11.2024 07:12:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of user-supplied input, which results in a path traversal that can be controlled by the attacker. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this vulnerability. In some scenarios no errors may be presented, which may cause end users not to realize that something is amiss. A safe workaround is to execute Flux CLI in ephemeral and isolated shell environments, which can ensure no persistent values exist from previous processes. However, upgrading to the latest version of the CLI is still the recommended mitigation strategy.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fluxcd ≫ Flux2 Version >= 0.21.0 < 0.32.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.288

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.7	1.1	6	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/fluxcd/flux2/releases/tag/v0.32.0

Third Party Advisory

Release Notes

https://github.com/fluxcd/flux2/security/advisories/GHSA-xwf3-6rgv-939r

Third Party Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2022-36035

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-36035

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-36035

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-36035