CVE-2022-39272

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-39272
Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

5.0 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v Third Party Advisory
https://github.com/kubernetes/apimachinery/issues/131 Issue Tracking Patch Third Party Advisory
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v Third Party Advisory
https://github.com/kubernetes/apimachinery/issues/131 Issue Tracking Patch Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:image-automation-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:image-reflector-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha5:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha6:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha7:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha8:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha9:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha5:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha6:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:beta2:*:*:*:*:*:*
History

21 Nov 2024, 07:17

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.3 		v2 : unknown
v3 : 5.0
References () https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v - Third Party Advisory () https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v - Third Party Advisory
References () https://github.com/kubernetes/apimachinery/issues/131 - Issue Tracking, Patch, Third Party Advisory () https://github.com/kubernetes/apimachinery/issues/131 - Issue Tracking, Patch, Third Party Advisory

14 Jul 2023, 18:17

Type Values Removed Values Added
CWE CWE-20 CWE-1284

24 Oct 2022, 16:51

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.3
CWE CWE-20
CPE cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha6:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha8:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha7:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha6:*:*:*:*:*:*
cpe:2.3:a:fluxcd:image-automation-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha3:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha4:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha5:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha5:*:*:*:*:*:*
cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha9:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha1:*:*:*:*:*:*
cpe:2.3:a:fluxcd:image-reflector-controller:*:*:*:*:*:*:*:*
cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha2:*:*:*:*:*:*
References (CONFIRM) https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v - (CONFIRM) https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v - Third Party Advisory
References (MISC) https://github.com/kubernetes/apimachinery/issues/131 - (MISC) https://github.com/kubernetes/apimachinery/issues/131 - Issue Tracking, Patch, Third Party Advisory

22 Oct 2022, 00:33

Type Values Removed Values Added
New CVE
Information

Published : 2022-10-22 00:15

Updated : 2024-11-21 07:17

NVD link : CVE-2022-39272

Mitre link : CVE-2022-39272

CVE.ORG link : CVE-2022-39272

JSON object : View

Products Affected

fluxcd

  • kustomize-controller
  • flux2
  • helm-controller
  • notification-controller
  • image-reflector-controller
  • image-automation-controller
  • source-controller
CWE
CWE-1284

Improper Validation of Specified Quantity in Input