GHSA-5q86-62xr-3r57

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-5q86-62xr-3r57/GHSA-5q86-62xr-3r57.json
Aliases
  • CVE-2022-31054
Published
2022-06-17T01:02:56Z
Modified
2022-06-17T01:02:56Z
Details

Impact

Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service.

Eventsources susceptible to an out-of-memory denial-of-service attack:

  • AWS SNS
  • Bitbucket
  • Bitbucket
  • Gitlab
  • Slack
  • Storagegrid
  • Webhook

Patches

A patch for this vulnerability has been released in the following Argo Events version:

v1.7.1

Credits

Disclosed by Ada Logics in a security audit sponsored by CNCF and facilitated by OSTIF.

For more information

Open an issue in the Argo Events issue tracker or discussions Join us on Slack in channel #argo-events

References

Affected packages

Go / github.com/argoproj/argo-events

github.com/argoproj/argo-events

Affected ranges

Type
SEMVER
Events
Introduced
0
Fixed
1.7.1

Affected versions