CVE-2022-39272
moderate-risk
Published 2022-10-22
Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.
Do I need to act?
-
0.33% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.0/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
Flux2
Helm-Controller
Helm-Controller
Helm-Controller
Helm-Controller
Helm-Controller
Helm-Controller
Helm-Controller
Image-Automation-Controller
Image-Reflector-Controller
Kustomize-Controller
Kustomize-Controller
Kustomize-Controller
Kustomize-Controller
Kustomize-Controller
Kustomize-Controller
Kustomize-Controller
Kustomize-Controller
Kustomize-Controller
Kustomize-Controller
Affected Vendors
References (4)
Third Party Advisory
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v
Issue Tracking
https://github.com/kubernetes/apimachinery/issues/131
Third Party Advisory
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v
Issue Tracking
https://github.com/kubernetes/apimachinery/issues/131
44
/ 100
moderate-risk
Severity
20/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
23/34 · High