CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
EPSS
Percentile
32.8%
Flux controllers within the affected versions range are vulnerable to a denial of service attack. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval
or .spec.timeout
(and structured variations of these fields), causing the entire object type to stop being processed.
The issue has two root causes: a) the Kubernetes type metav1.Duration
not being fully compatible with the Go type time.Duration
as explained on upstream report; b) lack of validation within Flux to restrict allowed values.
Admission controllers can be employed to restrict the values that can be used for fields .spec.interval
and .spec.timeout
, however upgrading to the latest versions is still the recommended mitigation.
This issue was reported by Alexander Block (@codablock) through the Flux security mailing list (as recommended).
If you have any questions or comments about this advisory:
github.com/fluxcd/flux2
github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v
github.com/fluxcd/helm-controller/pull/533
github.com/fluxcd/image-automation-controller/pull/439
github.com/fluxcd/image-reflector-controller/pull/314
github.com/fluxcd/kustomize-controller/pull/731
github.com/fluxcd/notification-controller/pull/420
github.com/fluxcd/source-controller/pull/903
github.com/kubernetes/apimachinery#131
github.com/kubernetes/apimachinery/issues/131
nvd.nist.gov/vuln/detail/CVE-2022-39272
pkg.go.dev/vuln/GO-2022-1071