CVE-2022-31077
low-risk
Published 2022-06-27
KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. In affected versions a malicious message response from KubeEdge can crash the CSI Driver controller server by triggering a nil-pointer dereference panic. As a consequence, the CSI Driver controller will be in denial of service. This bug has been fixed in Kubeedge 1.11.0, 1.10.1, and 1.9.3. Users should update to these versions to resolve the issue. At the time of writing, no workaround exists.
Do I need to act?
-
0.34% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.0/10
Medium
ADJACENT_NETWORK
/ HIGH complexity
Affected Products (3)
Kubeedge
Kubeedge
Kubeedge
Affected Vendors
References (6)
Third Party Advisory
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-x938-fvfw-7jh5
Third Party Advisory
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-x938-fvfw-7jh5
20
/ 100
low-risk
Severity
10/34 · Low
Exploitability
1/34 · Minimal
Exposure
9/34 · Low