Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/kubeedge/kubeedge: CVE-2022-31078 #371

Open
jba opened this issue Jul 11, 2022 · 0 comments
Open

x/vulndb: potential Go vuln in github.com/kubeedge/kubeedge: CVE-2022-31078 #371

jba opened this issue Jul 11, 2022 · 0 comments
Labels
cve-year-2022

Comments

@jba
Copy link
Owner

jba commented Jul 11, 2022

CVE-2022-31078 references github.com/kubeedge/kubeedge, which may be a Go module.

Description:
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the CloudCore Router does not impose a limit on the size of responses to requests made by the REST handler. An attacker could use this weakness to make a request that will return an HTTP response with a large body and cause DoS of CloudCore. In the HTTP Handler API, the rest handler makes a request to a pre-specified handle. The handle will return an HTTP response that is then read into memory. The consequence of the exhaustion is that CloudCore will be in a denial of service. Only an authenticated user of the cloud can make an attack. It will be affected only when users enable router module in the config file cloudcore.yaml. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the router switch in the config file cloudcore.yaml.

Links:

See doc/triage.md for instructions on how to triage this report.

module: github.com/kubeedge/kubeedge
package: kubeedge
description: |
    KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the CloudCore Router does not impose a limit on the size of responses to requests made by the REST handler. An attacker could use this weakness to make a request that will return an HTTP response with a large body and cause DoS of CloudCore. In the HTTP Handler API, the rest handler makes a request to a pre-specified handle. The handle will return an HTTP response that is then read into memory. The consequence of the exhaustion is that CloudCore will be in a denial of service. Only an authenticated user of the cloud can make an attack. It will be affected only when users enable `router` module in the config file `cloudcore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the router switch in the config file `cloudcore.yaml`.
cves:
  - CVE-2022-31078
links:
    context:
      - https://github.com/kubeedge/kubeedge/security/advisories/GHSA-qpx3-9565-5xwm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve-year-2022
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jba