CVE-2022-36035 is a medium-severity vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal) affecting the Flux CLI component of fluxcd's flux2 product. Flux is a GitOps tool designed to synchronize Kubernetes clusters with configuration sources such as Git repositories, automating deployment updates. The vulnerability arises from improper handling of user-supplied input within the Flux CLI, which allows an attacker to perform a path traversal attack. This flaw enables malicious applications sharing the same shell environment as the Flux CLI to replace legitimate Flux deployment information with arbitrary content. Consequently, this arbitrary content can be deployed into the target Kubernetes cluster, potentially leading to unauthorized code execution or configuration manipulation. The attack vector requires that the attacker has access to the same shell environment as the legitimate user running Flux CLI commands, which implies a shared or compromised shell session. Notably, in some cases, no error messages are generated, which may cause end users to remain unaware of the compromise. The vulnerability affects flux2 versions from 0.21.0 up to but not including 0.32.0. The recommended mitigation is upgrading to the latest version of the Flux CLI where the vulnerability is patched. As a temporary workaround, executing Flux CLI commands in ephemeral and isolated shell environments can prevent persistent contamination from previous processes, reducing the risk of exploitation. There are no known exploits in the wild at the time of this analysis, and no CVSS score has been assigned to this vulnerability.

For European organizations utilizing Kubernetes clusters managed via fluxcd's flux2 tool, this vulnerability poses a risk of unauthorized modification of deployment configurations. An attacker able to exploit this flaw could inject arbitrary configurations or code into Kubernetes clusters, potentially leading to unauthorized access, privilege escalation, or disruption of critical services. Given Kubernetes' widespread adoption in cloud-native environments across Europe, especially in sectors such as finance, telecommunications, and critical infrastructure, the impact could be significant. The stealthy nature of the vulnerability—where no errors may be presented—raises the risk of prolonged undetected compromise, increasing the potential damage. Organizations with multi-tenant environments or shared shell access are particularly vulnerable, as attackers could leverage shared environments to execute the attack. While no known exploits exist currently, the potential for supply chain or insider threat exploitation remains, especially in environments where Flux CLI is used extensively for automated deployments.

Upgrade flux2 CLI to version 0.32.0 or later, where the vulnerability is patched. Avoid sharing shell environments between Flux CLI and other applications; use isolated or ephemeral shells (e.g., containers, virtual machines, or dedicated terminal sessions) when running Flux CLI commands. Implement strict access controls and monitoring on systems where Flux CLI is used to detect unauthorized shell sharing or suspicious activity. Audit and restrict user permissions to minimize the risk of unauthorized access to shell environments used for deployment. Incorporate runtime monitoring and integrity checks on Kubernetes deployment manifests to detect unauthorized changes post-deployment. Establish secure development and deployment pipelines that include validation of Flux CLI versions and configurations before production deployment. Educate DevOps and security teams about the risks of shared shell environments and the importance of isolating deployment tools.