Vulnerability Report: GO-2022-1071
- CVE-2022-39272, GHSA-f4p5-x4vc-mh4v
- Affects: github.com/fluxcd/helm-controller/api, github.com/fluxcd/image-automation-controller/api, and 4 more
- Published: Oct 28, 2022
- Modified: May 20, 2024
Flux controllers are vulnerable to a denial of service attack. Users that have permissions to change Flux's objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval or .spec.timeout (and structured variations of these fields), causing the entire object type to stop being processed. The issue has two root causes: a) the Kubernetes type metav1.Duration is not fully compatible with the Go type time.Duration as explained in https://github.com/kubernetes/apimachinery/issues/131, and b) a lack of validation within Flux to restrict allowed values.
For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-f4p5-x4vc-mh4v.
Affected Packages
-
PathGo VersionsSymbols
-
before v0.26.0all symbols
-
before v0.26.1all symbols
-
before v0.22.1all symbols
-
before v0.30.0all symbols
-
before v0.28.0all symbols
-
before v0.30.0all symbols
Aliases
References
- https://github.com/advisories/GHSA-f4p5-x4vc-mh4v
- https://github.com/fluxcd/helm-controller/pull/533
- https://github.com/fluxcd/image-automation-controller/pull/439
- https://github.com/fluxcd/image-reflector-controller/pull/314
- https://github.com/fluxcd/kustomize-controller/pull/731
- https://github.com/fluxcd/notification-controller/pull/420
- https://github.com/fluxcd/source-controller/pull/903
- https://github.com/kubernetes/apimachinery#131
- https://vuln.go.dev/ID/GO-2022-1071.json
Credits
- Alexander Block (@codablock)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.