CVE-2022-39272

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-39272
Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v Third Party Advisory
https://github.com/kubernetes/apimachinery/issues/131 Issue Tracking Patch Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:image-automation-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:image-reflector-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha5:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha6:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha7:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha8:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha9:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha5:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha6:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:beta2:*:*:*:*:*:*
History

07 Nov 2023, 03:50

Type Values Removed Values Added
Summary Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation. Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

14 Jul 2023, 18:17

Type Values Removed Values Added
CWE CWE-20 CWE-1284
Information

Published : 2022-10-22 00:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-39272

Mitre link : CVE-2022-39272

CVE.ORG link : CVE-2022-39272

JSON object : View

Products Affected

fluxcd

  • kustomize-controller
  • image-automation-controller
  • notification-controller
  • helm-controller
  • source-controller
  • image-reflector-controller
  • flux2
CWE
CWE-1284

Improper Validation of Specified Quantity in Input