Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/fluxcd/flux2(Go) | 0.1.0 | 0.35.0 | N/A |
| github.com/fluxcd/source-controller(Go) | 0.0.1-alpha-1 | 0.30.0 | N/A |
| github.com/fluxcd/kustomize-controller(Go) | 0.0.1-alpha-1 | 0.29.0 | N/A |
| github.com/fluxcd/helm-controller(Go) | 0.0.1-alpha-1 | 0.24.0 | N/A |
| github.com/fluxcd/notification-controller(Go) | 0.0.1-alpha-1 | 0.27.0 | N/A |
| github.com/fluxcd/image-automation-controller(Go) | 0.1.0 | 0.26.0 | N/A |
| github.com/fluxcd/image-reflector-controller(Go) | 0.1.0 | 0.22.0 | N/A |
| github.com/fluxcd/helm-controller/api(Go) | 0 | 0.26.0 | N/A |
| github.com/fluxcd/image-automation-controller/api(Go) | 0 | 0.26.1 | N/A |
| github.com/fluxcd/image-reflector-controller/api(Go) | 0 | 0.22.1 | N/A |
| github.com/fluxcd/kustomize-controller/api(Go) | 0 | 0.30.0 | N/A |
| github.com/fluxcd/notification-controller/api(Go) | 0 | 0.28.0 | N/A |
| github.com/fluxcd/source-controller/api(Go) | 0 | 0.30.0 | N/A |
CVSS Metrics
