CVE-2022-24817: Improper kubeconfig validation allows arbitrary code execution
10
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57442%
CWE
Published
5/16/2022
Updated
2/3/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/fluxcd/flux2 | go | >= 0.1.0, < 0.29.0 | 0.29.0 |
github.com/fluxcd/kustomize-controller | go | >= 0.1.0, < 0.23.0 | 0.23.0 |
github.com/fluxcd/helm-controller | go | >= 0.2.0, < 0.19.0 | 0.19.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper validation
of kubeconfig 'exec' directives. The controllers (kustomize-controller/helm-controller
) used standard kubeconfig loading mechanisms that allowed command execution by default. The functions
responsible for loading/processing kubeconfigs (e.g., LoadKubeConfig()
, BuildClientConfig()
) would have lacked validation
to strip or disable 'exec' commands prior to the patch. The fix introduced an explicit flag (--insecure-kubeconfig-exec) to gate this functionality, confirming that these functions
were previously vulnerable by default.