Skip to content

x/vulndb: potential Go vuln in github.com/fluxcd/flux2: CVE-2022-36035 #960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Aug 31, 2022 · 4 comments
Closed

x/vulndb: potential Go vuln in github.com/fluxcd/flux2: CVE-2022-36035 #960

GoVulnBot opened this issue Aug 31, 2022 · 4 comments
Assignees
@tatianab
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

CVE-2022-36035 references github.com/fluxcd/flux2, which may be a Go module.

Description:
Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of user-supplied input, which results in a path traversal that can be controlled by the attacker. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this vulnerability. In some scenarios no errors may be presented, which may cause end users not to realize that something is amiss. A safe workaround is to execute Flux CLI in ephemeral and isolated shell environments, which can ensure no persistent values exist from previous processes. However, upgrading to the latest version of the CLI is still the recommended mitigation strategy.

References:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/fluxcd/flux2
    packages:
      - package: flux2
description: |
    Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of user-supplied input, which results in a path traversal that can be controlled by the attacker. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this vulnerability. In some scenarios no errors may be presented, which may cause end users not to realize that something is amiss. A safe workaround is to execute Flux CLI in ephemeral and isolated shell environments, which can ensure no persistent values exist from previous processes. However, upgrading to the latest version of the CLI is still the recommended mitigation strategy.
cves:
  - CVE-2022-36035
references:
  - web: https://github.com/fluxcd/flux2/security/advisories/GHSA-xwf3-6rgv-939r
  - web: https://github.com/fluxcd/flux2/releases/tag/v0.32.0
@tatianab tatianab self-assigned this Aug 31, 2022
@tatianab
Copy link
Contributor

Vulnerability in tool

@tatianab tatianab added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Aug 31, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/426716 mentions this issue: data/reports: add data/excluded/GO-2022-0960.yaml for CVE-2022-36035

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592774 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607229 mentions this issue: data/reports: unexclude 20 reports (27)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (27)
bcdceff 
  - data/reports/GO-2022-0922.yaml
  - data/reports/GO-2022-0923.yaml
  - data/reports/GO-2022-0924.yaml
  - data/reports/GO-2022-0925.yaml
  - data/reports/GO-2022-0928.yaml
  - data/reports/GO-2022-0929.yaml
  - data/reports/GO-2022-0933.yaml
  - data/reports/GO-2022-0936.yaml
  - data/reports/GO-2022-0937.yaml
  - data/reports/GO-2022-0938.yaml
  - data/reports/GO-2022-0939.yaml
  - data/reports/GO-2022-0953.yaml
  - data/reports/GO-2022-0959.yaml
  - data/reports/GO-2022-0960.yaml
  - data/reports/GO-2022-0964.yaml
  - data/reports/GO-2022-0970.yaml
  - data/reports/GO-2022-0971.yaml
  - data/reports/GO-2022-0981.yaml
  - data/reports/GO-2022-0982.yaml
  - data/reports/GO-2022-0983.yaml

Updates #922
Updates #923
Updates #924
Updates #925
Updates #928
Updates #929
Updates #933
Updates #936
Updates #937
Updates #938
Updates #939
Updates #953
Updates #959
Updates #960
Updates #964
Updates #970
Updates #971
Updates #981
Updates #982
Updates #983

Change-Id: I2c7e7a823ba3bf18dab1234a40c08ac4825903f6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607229
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Commit-Queue: Tatiana Bradley <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot