Vulnerability Details : CVE-2022-31054
Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several `HandleRoute` endpoints make use of the deprecated `ioutil.ReadAll()`. `ioutil.ReadAll()` reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. A patch for this vulnerability has been released in Argo Events version 1.7.1.
Vulnerability category: Memory CorruptionDenial of service
Products affected by CVE-2022-31054
- cpe:2.3:a:argo_events_project:argo_events:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31054
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31054
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-31054
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: security-advisories@github.com (Secondary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-31054
-
https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57
Uses of deprecated API can be used to cause DoS in user-facing endpoints · Advisory · argoproj/argo-events · GitHubThird Party Advisory
-
https://github.com/argoproj/argo-events/issues/1946
8 Uses of deprecated API can be used to cause DoS in user-facing endpoints · Issue #1946 · argoproj/argo-events · GitHubIssue Tracking;Third Party Advisory
-
https://github.com/argoproj/argo-events/pull/1966
chore: discontinue using ioutil by whynowy · Pull Request #1966 · argoproj/argo-events · GitHubPatch;Third Party Advisory
-
https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35
chore: discontinue using ioutil (#1966) · argoproj/argo-events@eaabcb6 · GitHubPatch;Third Party Advisory
Jump to