CVE-2022-39272

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-39272

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39272.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-39272

Aliases

Related

CGA-hwg5-22j5-jjq4

Published

2022-10-21T00:00:00Z

Modified

2026-02-15T07:45:16.876724Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVSS Calculator

Summary

Flux2 vulnerable to Denial of Service due to Improper use of metav1.Duration

Details

Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval or .spec.timeout (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields .spec.interval and .spec.timeout, however upgrading to the latest versions is still the recommended mitigation.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39272.json"
}

References

Affected packages

Git

github.com/fluxcd/flux2

Affected ranges

Type: GIT
Repo: https://github.com/fluxcd/flux2
Events: Introduced

70d0bfce15a916b73b060af53142ff342051f920

Fixed

1bf63a94c22d1b9b7ccf92f66a1a34a74bd72fca

Introduced

b7727e2659d2476312abdb43f7c9df0f64bfa0e0

Fixed

adf5a5278f164834a29453f47d5281d2616c07e5

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.10.0

v0.11.0

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.13.4

v0.14.0

v0.14.1

v0.14.2

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.16.0

v0.16.1

v0.16.2

v0.17.0

v0.17.1

v0.17.2

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.19.0

v0.19.1

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.20.0

v0.20.1

v0.21.0

v0.21.1

v0.22.0

v0.22.1

v0.23.0

v0.24.0

v0.24.1

v0.25.0

v0.25.1

v0.25.2

v0.25.3

v0.26.0

v0.26.1

v0.26.2

v0.26.3

v0.27.0

v0.27.1

v0.27.2

v0.28.0

v0.28.1

v0.28.2

v0.28.3

v0.28.4

v0.28.5

v0.29.0

v0.29.1

v0.29.2

v0.29.3

v0.29.4

v0.29.5

v0.3.0

v0.30.0

v0.30.1

v0.30.2

v0.31.0

v0.31.1

v0.31.2

v0.31.3

v0.31.4

v0.31.5

v0.32.0

v0.33.0

v0.34.0

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v0.9.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39272.json"

github.com/fluxcd/helm-controller

Affected ranges

Type: GIT
Repo: https://github.com/fluxcd/helm-controller
Events: Introduced

4379ef33a8d4a7ea969fa5e3142de001e6c1323c

Fixed

56e36da8c15fe4aef06d257c3295044e53874cab

Introduced

a69f3a2b578baaa28b502a2e07fb168b3b41ec7b

Fixed

8805f9032c0ffce89b38a8622b991c472338cb55

Affected versions

api/v0.*

api/v0.1.1

api/v0.1.2

api/v0.1.3

api/v0.10.0

api/v0.10.1

api/v0.11.0

api/v0.11.1

api/v0.11.2

api/v0.12.0

api/v0.12.1

api/v0.12.2

api/v0.13.0

api/v0.14.0

api/v0.14.1

api/v0.15.0

api/v0.16.0

api/v0.17.0

api/v0.17.1

api/v0.18.0

api/v0.18.1

api/v0.18.2

api/v0.19.0

api/v0.2.0

api/v0.2.1

api/v0.2.2

api/v0.20.0

api/v0.20.1

api/v0.21.0

api/v0.22.0

api/v0.22.1

api/v0.22.2

api/v0.23.0

api/v0.23.1

api/v0.24.0

api/v0.25.0

api/v0.26.0

api/v0.27.0

api/v0.28.0

api/v0.28.1

api/v0.29.0

api/v0.3.0

api/v0.30.0

api/v0.31.0

api/v0.31.1

api/v0.31.2

api/v0.32.0

api/v0.32.1

api/v0.32.2

api/v0.33.0

api/v0.34.0

api/v0.34.1

api/v0.34.2

api/v0.4.0

api/v0.4.1

api/v0.4.2

api/v0.4.3

api/v0.4.4

api/v0.5.0

api/v0.5.1

api/v0.5.2

api/v0.6.0

api/v0.6.1

api/v0.7.0

api/v0.8.0

api/v0.8.1

api/v0.8.2

api/v0.9.0

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.10.0

v0.10.1

v0.11.0

v0.11.1

v0.11.2

v0.12.0

v0.12.1

v0.12.2

v0.13.0

v0.14.0

v0.14.1

v0.15.0

v0.16.0

v0.17.0

v0.17.1

v0.18.0

v0.18.1

v0.18.2

v0.19.0

v0.2.0

v0.2.1

v0.2.2

v0.20.0

v0.20.1

v0.21.0

v0.22.0

v0.22.1

v0.22.2

v0.23.0

v0.23.1

v0.24.0

v0.25.0

v0.26.0

v0.27.0

v0.28.0

v0.28.1

v0.29.0

v0.3.0

v0.30.0

v0.31.0

v0.31.1

v0.31.2

v0.32.0

v0.32.1

v0.32.2

v0.33.0

v0.34.0

v0.34.1

v0.34.2

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.5.0

v0.5.1

v0.5.2

v0.6.0

v0.6.1

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v0.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39272.json"

github.com/fluxcd/kustomize-controller

Affected ranges

Type: GIT
Repo: https://github.com/fluxcd/kustomize-controller
Events: Introduced

74cb7638c4e390d45826b926c24de7fd261b60b2

Fixed

69a9e9d6bf4666eb02d2367210b29d0a66262580

Introduced

8e16bd4c926846959f7996648223d22ef29b6648

Fixed

e3f65fb7bcba07037e88490ad0ad88230e520c5e

Affected versions

api/v0.*

api/v0.0.10

api/v0.0.11

api/v0.0.12

api/v0.0.13

api/v0.0.8

api/v0.0.9

api/v0.1.0

api/v0.1.1

api/v0.1.2

api/v0.10.0

api/v0.11.0

api/v0.11.1

api/v0.12.0

api/v0.12.1

api/v0.12.2

api/v0.13.0

api/v0.13.1

api/v0.13.2

api/v0.13.3

api/v0.14.0

api/v0.14.1

api/v0.15.0

api/v0.15.1

api/v0.15.2

api/v0.15.3

api/v0.15.4

api/v0.15.5

api/v0.16.0

api/v0.17.0

api/v0.18.0

api/v0.18.1

api/v0.18.2

api/v0.19.0

api/v0.19.1

api/v0.2.0

api/v0.2.1

api/v0.2.2

api/v0.20.0

api/v0.20.1

api/v0.20.2

api/v0.21.0

api/v0.21.1

api/v0.22.0

api/v0.22.1

api/v0.22.2

api/v0.22.3

api/v0.23.0

api/v0.24.0

api/v0.3.0

api/v0.4.0

api/v0.5.0

api/v0.5.1

api/v0.5.2

api/v0.5.3

api/v0.6.0

api/v0.6.1

api/v0.6.2

api/v0.6.3

api/v0.7.0

api/v0.7.1

api/v0.7.2

api/v0.7.3

api/v0.7.4

api/v0.8.0

api/v0.8.1

api/v0.9.0

api/v0.9.1

api/v0.9.2

api/v0.9.3

v0.*

v0.0.10

v0.0.11

v0.0.12

v0.0.13

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v0.1.0

v0.1.1

v0.1.2

v0.10.0

v0.11.0

v0.11.1

v0.12.0

v0.12.1

v0.12.2

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.14.0

v0.14.1

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.15.4

v0.15.5

v0.16.0

v0.17.0

v0.18.0

v0.18.1

v0.18.2

v0.19.0

v0.19.1

v0.2.0

v0.2.1

v0.2.2

v0.20.0

v0.20.1

v0.20.2

v0.21.0

v0.21.1

v0.22.0

v0.22.1

v0.22.2

v0.22.3

v0.23.0

v0.3.0

v0.4.0

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.8.0

v0.8.1

v0.9.0

v0.9.1

v0.9.2

v0.9.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39272.json"