CVE-2022-39272

Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v	Third Party Advisory
https://github.com/kubernetes/apimachinery/issues/131	Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fluxcd:flux2::::::::
	cpe:2.3:a:fluxcd:helm-controller::::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha1::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha2::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta1::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta2::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta3::::::
	cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta4::::::
	cpe:2.3:a:fluxcd:image-automation-controller::::::::
	cpe:2.3:a:fluxcd:image-reflector-controller::::::::
	cpe:2.3:a:fluxcd:kustomize-controller::::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha1::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha2::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha3::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha4::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha5::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha6::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha7::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha8::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha9::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta1::::::
	cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta2::::::
	cpe:2.3:a:fluxcd:notification-controller::::::::
	cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha1::::::
	cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha2::::::
	cpe:2.3:a:fluxcd:notification-controller:0.0.1:beta1::::::
	cpe:2.3:a:fluxcd:source-controller::::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha1::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha2::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha3::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha4::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha5::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha6::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:beta1::::::
	cpe:2.3:a:fluxcd:source-controller:0.0.1:beta2::::::

History

07 Nov 2023, 03:50

Type	Values Removed	Values Added
Summary	Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Fluxâ€™s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.	Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

14 Jul 2023, 18:17

Type	Values Removed	Values Added
CWE	~~CWE-20~~	CWE-1284

24 Oct 2022, 16:51

Type	Values Removed	Values Added
References	~~(CONFIRM) https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v -~~	(CONFIRM) https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v - Third Party Advisory
References	~~(MISC) https://github.com/kubernetes/apimachinery/issues/131 -~~	(MISC) https://github.com/kubernetes/apimachinery/issues/131 - Issue Tracking, Patch, Third Party Advisory
First Time		Fluxcd image-automation-controller Fluxcd kustomize-controller Fluxcd notification-controller Fluxcd Fluxcd flux2 Fluxcd image-reflector-controller Fluxcd source-controller Fluxcd helm-controller
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
CWE		CWE-20
CPE		cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha1:::::: cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha1:::::: cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta4:::::: cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha3:::::: cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta3:::::: cpe:2.3:a:fluxcd:notification-controller:0.0.1:beta1:::::: cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha6:::::: cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha2:::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha9:::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha8:::::: cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha5:::::: cpe:2.3:a:fluxcd:source-controller:0.0.1:beta2:::::: cpe:2.3:a:fluxcd:image-automation-controller:::::::: cpe:2.3:a:fluxcd:flux2:::::::: cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha1:::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha5:::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha4:::::: cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha4:::::: cpe:2.3:a:fluxcd:notification-controller:::::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha3:::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta2:::::: cpe:2.3:a:fluxcd:source-controller:0.0.1:beta1:::::: cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta1:::::: cpe:2.3:a:fluxcd:image-reflector-controller:::::::: cpe:2.3:a:fluxcd:source-controller:::::::: cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha2:::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha2:::::: cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta2:::::: cpe:2.3:a:fluxcd:kustomize-controller:::::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha1:::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha7:::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta1:::::: cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha2:::::: cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha6:::::: cpe:2.3:a:fluxcd:helm-controller::::::::

22 Oct 2022, 00:33

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-22 00:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-39272

Mitre link : CVE-2022-39272

CVE.ORG link : CVE-2022-39272

JSON object : View

Products Affected

fluxcd

kustomize-controller
image-reflector-controller
source-controller
image-automation-controller
notification-controller
flux2
helm-controller

CWE

CWE-1284

Improper Validation of Specified Quantity in Input

4.3 /10