7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24878

GHSA ID

GHSA-7pwf-jg34-hxwp

EPSS Score

0.5238%

CWE

CWE-674

Published

5/20/2022

Updated

1/27/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24878

CVE-2022-24878:
Improper path handling in Kustomization files allows for denial of service

The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted kustomization.yaml to cause Denial of Service at controller level.

In multi-tenancy deployments this can lead to multiple tenants not being able to apply their Kustomizations until the malicious kustomization.yaml is removed and the controller restarted.

Impact

Within the affected versions, users with write access to a Flux source are able to craft a malicious kustomization.yaml file which causes the controller to enter an endless loop.

Patches

This vulnerability was fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0 released on 2022-04-20. The changes introduce better handling of Kustomization files blocking references that could lead to endless loops.

Credits

The Flux engineering team found and patched this vulnerability.

For more information

If you have any questions or comments about this advisory please open an issue in the flux2 repository.

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24878

GHSA ID

GHSA-7pwf-jg34-hxwp

EPSS Score

0.5238%

CWE

CWE-674

Published

5/20/2022

Updated

1/27/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/fluxcd/kustomize-controller	go	>= 0.16.0, < 0.24.0	0.24.0
github.com/fluxcd/flux2	go	>= 0.19.0, < 0.29.0	0.29.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper cycle detection in Kustomization file processing. The reconciliation loop (KustomizationReconciler.reconcile) and resource loader (loader.Load) are core components that process user-provided kustomization.yaml files. The lack of cycle checks in these functions allowed recursive references to cause endless loops. The CWE-674 (Uncontrolled Recursion) alignment and the patched 'blocking references' behavior described in advisories strongly implicate these functions. The high confidence comes from the architectural role of these functions and the explicit mention of path/dependency handling fixes in the patch notes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** kustomiz*-*ontroll*r *n**l*s t** us* o* Kustomiz*’s *un*tion*lity w**n *pplyin* Ku**rn*t*s ***l*r*tiv* st*t* onto * *lust*r. * m*li*ious us*r **n us* * sp**i*lly *r**t** `kustomiz*tion.y*ml` to **us* **ni*l o* S*rvi** *t *ontroll*r l*v*l. In mul

Reasoning

T** vuln*r**ility st*ms *rom improp*r *y*l* **t**tion in Kustomiz*tion *il* pro**ssin*. T** r**on*ili*tion loop (`Kustomiz*tionR**on*il*r.r**on*il*`) *n* r*sour** lo***r (`lo***r.Lo**`) *r* *or* *ompon*nts t**t pro**ss us*r-provi*** `kustomiz*tion.y*

7.7

Basic Information

Concerned about an active attack path?

CVE-2022-24878: Improper path handling in Kustomization files allows for denial of service

Impact

Patches

Credits

For more information

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-24878:
Improper path handling in Kustomization files allows for denial of service

Vulnerability Intelligence
Miggo AI