CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
32.8%
Flux controllers are vulnerable to a denial of service attack.
Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval or .spec.timeout (and structured variations of these fields), causing the entire object type to stop being processed.
The issue has two root causes: a) the Kubernetes type metav1.Duration is not fully compatible with the Go type time.Duration as explained in https://github.com/kubernetes/apimachinery/issues/131, and b) a lack of validation within Flux to restrict allowed values.
github.com/advisories/GHSA-f4p5-x4vc-mh4v
github.com/fluxcd/helm-controller/pull/533
github.com/fluxcd/image-automation-controller/pull/439
github.com/fluxcd/image-reflector-controller/pull/314
github.com/fluxcd/kustomize-controller/pull/731
github.com/fluxcd/notification-controller/pull/420
github.com/fluxcd/source-controller/pull/903
github.com/kubernetes/apimachinery#131