5
CVE-2022-39272
- EPSS 0.61%
- Veröffentlicht 22.10.2022 00:15:09
- Zuletzt bearbeitet 21.11.2024 07:17:55
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginFlux2 vulnerable to Denial of Service due to Improper use of metav1.Duration
Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fluxcd ≫ Helm-controller Version >= 0.0.2 < 0.24.0
Fluxcd ≫ Helm-controller Version0.0.1 Updatealpha1
Fluxcd ≫ Helm-controller Version0.0.1 Updatealpha2
Fluxcd ≫ Helm-controller Version0.0.1 Updatebeta1
Fluxcd ≫ Helm-controller Version0.0.1 Updatebeta2
Fluxcd ≫ Helm-controller Version0.0.1 Updatebeta3
Fluxcd ≫ Helm-controller Version0.0.1 Updatebeta4
Fluxcd ≫ Image-automation-controller Version >= 0.1.0 < 0.26.0
Fluxcd ≫ Image-reflector-controller Version >= 0.1.0 < 0.22.0
Fluxcd ≫ Kustomize-controller Version >= 0.0.2 < 0.29.0
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatealpha1
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatealpha2
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatealpha3
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatealpha4
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatealpha5
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatealpha6
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatealpha7
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatealpha8
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatealpha9
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatebeta1
Fluxcd ≫ Kustomize-controller Version0.0.1 Updatebeta2
Fluxcd ≫ Notification-controller Version >= 0.0.2 < 0.27.0
Fluxcd ≫ Notification-controller Version0.0.1 Updatealpha1
Fluxcd ≫ Notification-controller Version0.0.1 Updatealpha2
Fluxcd ≫ Notification-controller Version0.0.1 Updatebeta1
Fluxcd ≫ Source-controller Version >= 0.0.2 < 0.30.0
Fluxcd ≫ Source-controller Version0.0.1 Updatealpha1
Fluxcd ≫ Source-controller Version0.0.1 Updatealpha2
Fluxcd ≫ Source-controller Version0.0.1 Updatealpha3
Fluxcd ≫ Source-controller Version0.0.1 Updatealpha4
Fluxcd ≫ Source-controller Version0.0.1 Updatealpha5
Fluxcd ≫ Source-controller Version0.0.1 Updatealpha6
Fluxcd ≫ Source-controller Version0.0.1 Updatebeta1
Fluxcd ≫ Source-controller Version0.0.1 Updatebeta2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.61% | 0.443 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
|
| security-advisories@github.com | 5 | 3.1 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
|
CWE-1284 Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v
https://github.com/kubernetes/apimachinery/issues/131