CVE-2022-31054
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. A patch for this vulnerability has been released in Argo Events version 1.7.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| argoproj | argo-events | < 1.7.1 | affected |
Weaknesses
- CWE-400: CWE-400: Uncontrolled Resource Consumption
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57
- https://github.com/argoproj/argo-events/issues/1946
- https://github.com/argoproj/argo-events/pull/1966
- https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57
- https://github.com/argoproj/argo-events/issues/1946
- https://github.com/argoproj/argo-events/pull/1966
- https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.