CVE-2022-39272Improper Validation of Specified Quantity in Input in Fluxcd Source-controller

CWE-1284Improper Validation of Specified Quantity in InputCWE-20Improper Input Validation5 documents4 sources
Severity
4.3MEDIUMNVD
CNA5.0
EPSS
0.3%
top 44.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
20
Fluxcd Flux2Github.com Fluxcd Flux2Github.com Fluxcd Helm-controller+17 more
Timeline
PublishedOct 22
Latest updateOct 28

Description

Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controller

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages21 packages

NVDfluxcd/source-controller0.0.20.30.0+1
Gogithub.com/fluxcd_source-controller0.0.1-alpha-10.30.0
CVEListV5fluxcd/flux2< 0.35.0
NVDfluxcd/flux20.1.00.35.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Denial of service in flux controllers in github.com/fluxcd modules2022-10-28
CVEList
Flux2 vulnerable to Denial of Service due to Improper use of metav1.Duration2022-10-21
OSV
Improper use of metav1.Duration allows for Denial of Service2022-10-19
GHSA
Improper use of metav1.Duration allows for Denial of Service2022-10-19
CVE-2022-39272 — Fluxcd Source-controller vulnerability | cvebase