Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-39272

Good to know:

icon

Date: October 21, 2022

Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

Language: Go

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2022-39272
https://github.com/kubernetes/apimachinery/issues/131
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v
https://www.mend.io/vulnerability-database/CVE-2022-39272

Severity Score

Weakness Type (CWE)

Input Validation

CWE-20

Improper Validation of Specified Quantity in Input

CWE-1284

Top Fix

icon

Upgrade Version

Upgrade to version github.com/fluxcd/flux2-v0.35.0,helm-controller-v0.24.0,image-automation-controller-v0.26.0,image-reflector-controller-v0.22.0,kustomize-controller-v0.29.0,notification-controller-v0.27.0,source-controller-v0.30.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): LOW

Do you need more information?

Contact Us