CVE Vulnerability

CVE-2022-39272

Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v Third Party Advisory
https://github.com/kubernetes/apimachinery/issues/131 Issue Tracking Patch
Configurations

Configuration 1

cpe:2.3:a:fluxcd:source-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha5:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha6:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha5:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha6:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha7:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha8:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha9:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:image-reflector-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:image-automation-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*
Information

Published : 2022-10-22 12:15

Updated : 2022-10-24 04:51

NVD link : CVE-2022-39272

Mitre link : CVE-2022-39272

Products Affected
No products.
CWE
CWE-20