CVE-2022-31054: Uncontrolled Resource Consumption
Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. A patch for this vulnerability has been released in Argo Events version 1.7.1.
References
- github.com/advisories/GHSA-5q86-62xr-3r57
- github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35
- github.com/argoproj/argo-events/issues/1946
- github.com/argoproj/argo-events/pull/1966
- github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57
- nvd.nist.gov/vuln/detail/CVE-2022-31054
Code Behaviors & Features
Detect and mitigate CVE-2022-31054 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →