Miggo Logo

CVE-2022-24817: Improper kubeconfig validation allows arbitrary code execution

10

CVSS Score
3.1

Basic Information

EPSS Score
0.57442%
Published
5/16/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/fluxcd/flux2go>= 0.1.0, < 0.29.00.29.0
github.com/fluxcd/kustomize-controllergo>= 0.1.0, < 0.23.00.23.0
github.com/fluxcd/helm-controllergo>= 0.2.0, < 0.19.00.19.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation of kubeconfig 'exec' directives. The controllers (kustomize-controller/helm-controller) used standard kubeconfig loading mechanisms that allowed command execution by default. The functions responsible for loading/processing kubeconfigs (e.g., LoadKubeConfig(), BuildClientConfig()) would have lacked validation to strip or disable 'exec' commands prior to the patch. The fix introduced an explicit flag (--insecure-kubeconfig-exec) to gate this functionality, confirming that these functions were previously vulnerable by default.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*lux* **n r**on*il* t** st*t* o* * r*mot* *lust*r w**n provi*** wit* * [ku***on*i*](*ttps://ku**rn*t*s.io/*o*s/*on**pts/*on*i*ur*tion/or**niz*-*lust*r-****ss-ku***on*i*/#*il*-r***r*n**s) wit* t** *orr**t ****ss ri**ts. `Ku***on*i*` *il*s **n ***in* [

Reasoning

T** vuln*r**ility st*ms *rom improp*r `v*li**tion` o* ku***on*i* '*x**' *ir**tiv*s. T** *ontroll*rs (`kustomiz*-*ontroll*r/**lm-*ontroll*r`) us** st*n**r* ku***on*i* lo**in* m****nisms t**t *llow** *omm*n* *x**ution *y ****ult. T** `*un*tions` r*spon