CVE-2022-31054

Опубликовано: 13 июн. 2022

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. A patch for this vulnerability has been released in Argo Events version 1.7.1.

Ссылки

https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35
Patch
Third Party Advisory
https://github.com/argoproj/argo-events/issues/1946
Issue Tracking
Third Party Advisory
https://github.com/argoproj/argo-events/pull/1966
Patch
Third Party Advisory
https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57
Third Party Advisory
https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35
Patch
Third Party Advisory
https://github.com/argoproj/argo-events/issues/1946
Issue Tracking
Third Party Advisory
https://github.com/argoproj/argo-events/pull/1966
Patch
Third Party Advisory
https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:argo_events_project:argo_events:*:*:*:*:*:*:*:*

Версия до 1.7.1 (исключая)

EPSS

Процентиль: 68%

0.00563

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-400

CWE-787

Связанные уязвимости

GHSA-5q86-62xr-3r57