CVE-2022-31077

EPSS 0.32%
Published 27.06.2022 21:15:07
Last modified 21.11.2024 07:03:50
Source security-advisories@github.com
Teams watchlist Login
Open Login

KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. In affected versions a malicious message response from KubeEdge can crash the CSI Driver controller server by triggering a nil-pointer dereference panic. As a consequence, the CSI Driver controller will be in denial of service. This bug has been fixed in Kubeedge 1.11.0, 1.10.1, and 1.9.3. Users should update to these versions to resolve the issue. At the time of writing, no workaround exists.

Affected products Warnungen 0 Metrics 4 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Linuxfoundation ≫ Kubeedge Version < 1.9.3

Linuxfoundation ≫ Kubeedge Version1.10.0 Update-

Linuxfoundation ≫ Kubeedge Version1.10.0 Updatebeta0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.32%	0.545

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.7	2.1	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:N/A:P
security-advisories@github.com	4	0.4	3.6	CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://github.com/kubeedge/kubeedge/pull/3899/commits/5d60ae9eabd6b6b7afe38758e19bbe8137664701

Patch

Third Party Advisory

https://github.com/kubeedge/kubeedge/pull/3899

Patch

Third Party Advisory

https://github.com/kubeedge/kubeedge/security/advisories/GHSA-x938-fvfw-7jh5

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-31077

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-31077

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-31077

EUVD