and static files. Flux CLI versions 1.3.0 through 1.4.0 are vulnerable to this issue. The severity of the flaw is rated Medium due to the fact that it can be exploited by attackers to deploy arbitrary code into the target Kubernetes cluster. The Flux CLI is a tool for constructing, managing, and maintaining Kubernetes clusters. It acts as a centralized service for configuration management and is used to control the flow of updates to a cluster. It also provides end-to-end encryption of configuration data.
Background information:
Flux is a Kubernetes configuration management tool that provides automated updates for cluster deployments. It does not use Flux CLI versions 1.3.0 through 1.4.0 to provide this functionality and thus is not vulnerable to the CVE-2022-36035 flaw in these versions of the Flux CLI.
Vulnerability overview
Flux CLI suffers from a vulnerability that allows attackers to access the in-memory copy of the configuration, which is used within the Flux CLI utility. The vulnerability is a result of using JavaScript to render an object with an insecure property on a Kubernetes cluster, which would allow an attacker to view and potentially modify the configuration data in memory.
Timeline
Published on: 08/31/2022 15:15:00 UTC
Last modified on: 09/08/2022 03:28:00 UTC