CVE-2022-24878: Improper path handling in Kustomization files allows for denial of service
7.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5238%
CWE
Published
5/20/2022
Updated
1/27/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/fluxcd/kustomize-controller | go | >= 0.16.0, < 0.24.0 | 0.24.0 |
github.com/fluxcd/flux2 | go | >= 0.19.0, < 0.29.0 | 0.29.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper cycle detection in Kustomization file processing. The reconciliation loop (KustomizationReconciler.reconcile
) and resource loader (loader.Load
) are core components that process user-provided kustomization.yaml
files. The lack of cycle checks in these functions allowed recursive references to cause endless loops. The CWE-674 (Uncontrolled Recursion) alignment and the patched 'blocking references' behavior described in advisories strongly implicate these functions. The high confidence comes from the architectural role of these functions and the explicit mention of path/dependency
handling fixes in the patch notes.