CVE-2022-39272

Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v	Third Party Advisory
https://github.com/kubernetes/apimachinery/issues/131	Issue Tracking Patch Third Party Advisory
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v	Third Party Advisory
https://github.com/kubernetes/apimachinery/issues/131	Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fluxcd:flux2::::::::
	cpe:2.3:a:fluxcd:helm-controller::::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha1::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha2::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta1::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta2::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta3::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta4::::::
	cpe:2.3:a:fluxcd:image-automation-controller::::::::
	cpe:2.3:a:fluxcd:image-reflector-controller::::::::
	cpe:2.3:a:fluxcd:kustomize-controller::::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha1::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha2::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha3::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha4::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha5::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha6::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha7::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha8::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha9::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta1::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta2::::::
	cpe:2.3:a:fluxcd:notification-controller::::::::
	cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha1::::::
	cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha2::::::
	cpe:2.3:a:fluxcd:notification-controller:0.0.1:beta1::::::
	cpe:2.3:a:fluxcd:source-controller::::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha1::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha2::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha3::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha4::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha5::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha6::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:beta1::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:beta2::::::

History

21 Nov 2024, 07:17

Type	Values Removed	Values Added
References	~~() https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v - Third Party Advisory~~	() https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v - Third Party Advisory
References	~~() https://github.com/kubernetes/apimachinery/issues/131 - Issue Tracking, Patch, Third Party Advisory~~	() https://github.com/kubernetes/apimachinery/issues/131 - Issue Tracking, Patch, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~4.3~~	v2 : unknown v3 : 5.0

07 Nov 2023, 03:50

Type	Values Removed	Values Added
Summary	Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Fluxâ€™s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.	Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

14 Jul 2023, 18:17

Type	Values Removed	Values Added
CWE	~~CWE-20~~	CWE-1284

Information

Published : 2022-10-22 00:15

Updated : 2024-11-21 07:17

NVD link : CVE-2022-39272

Mitre link : CVE-2022-39272

CVE.ORG link : CVE-2022-39272

JSON object : View

Products Affected

fluxcd

kustomize-controller
image-automation-controller
flux2
image-reflector-controller
helm-controller
notification-controller
source-controller

CWE

CWE-1284

Improper Validation of Specified Quantity in Input

5.0 /10