GO-2022-1071

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-1071

Import Source

https://vuln.go.dev/ID/GO-2022-1071.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2022-1071

Aliases

Published

2022-10-28T16:07:05Z

Modified

2024-09-11T06:12:37.837743Z

Summary

Denial of service in flux controllers in github.com/fluxcd modules

Details

Flux controllers are vulnerable to a denial of service attack.

Users that have permissions to change Flux's objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval or .spec.timeout (and structured variations of these fields), causing the entire object type to stop being processed.

The issue has two root causes: a) the Kubernetes type metav1.Duration is not fully compatible with the Go type time.Duration as explained in https://github.com/kubernetes/apimachinery/issues/131, and b) a lack of validation within Flux to restrict allowed values.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-1071"
}

References

Credits

- Alexander Block (@codablock)

Affected packages

Go / github.com/fluxcd/helm-controller/api

Package

Name: github.com/fluxcd/helm-controller/api; View open source insights on deps.dev
Purl: pkg:golang/github.com/fluxcd/helm-controller/api

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.26.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/fluxcd/helm-controller/api/v2beta1"
        }
    ]
}

Go / github.com/fluxcd/image-automation-controller/api

Package

Name: github.com/fluxcd/image-automation-controller/api; View open source insights on deps.dev
Purl: pkg:golang/github.com/fluxcd/image-automation-controller/api

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.26.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/fluxcd/image-automation-controller/api/v1beta1"
        }
    ]
}

Go / github.com/fluxcd/image-reflector-controller/api

Package

Name: github.com/fluxcd/image-reflector-controller/api; View open source insights on deps.dev
Purl: pkg:golang/github.com/fluxcd/image-reflector-controller/api

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.22.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/fluxcd/image-reflector-controller/api/v1beta1"
        }
    ]
}

Go / github.com/fluxcd/kustomize-controller/api

Package

Name: github.com/fluxcd/kustomize-controller/api; View open source insights on deps.dev
Purl: pkg:golang/github.com/fluxcd/kustomize-controller/api

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.30.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/fluxcd/kustomize-controller/api/v1beta2"
        }
    ]
}

Go / github.com/fluxcd/notification-controller/api

Package

Name: github.com/fluxcd/notification-controller/api; View open source insights on deps.dev
Purl: pkg:golang/github.com/fluxcd/notification-controller/api

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.28.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/fluxcd/notification-controller/api/v1beta1"
        }
    ]
}

Go / github.com/fluxcd/source-controller/api

Package

Name: github.com/fluxcd/source-controller/api; View open source insights on deps.dev
Purl: pkg:golang/github.com/fluxcd/source-controller/api

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.30.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/fluxcd/source-controller/api/v1beta2"
        }
    ]
}