Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-5Q86-62XR-3R57
HistoryJun 17, 2022 - 1:02 a.m.

Uses of deprecated API can be used to cause DoS in user-facing endpoints

2022-06-1701:02:56
CWE-400
CWE-787
GitHub Advisory Database
github.com
22
deprecated api
dos
user-facing
argo events
aws sns
bitbucket
gitlab
slack
storagegrid
webhook
out-of-memory
patch
v1.7.1
cncf
ostif
security audit
ada logics
github
slack
software

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

51.1%

JSON

Impact

Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service.

Eventsources susceptible to an out-of-memory denial-of-service attack:

  • AWS SNS
  • Bitbucket
  • Bitbucket
  • Gitlab
  • Slack
  • Storagegrid
  • Webhook

Patches

A patch for this vulnerability has been released in the following Argo Events version:

v1.7.1

Credits

Disclosed by Ada Logics in a security audit sponsored by CNCF and facilitated by OSTIF.

For more information

Open an issue in the Argo Events issue tracker or discussions
Join us on Slack in channel #argo-events

Affected configurations

Vulners
Node
argoprojargo_cdRange<1.7.1
VendorProductVersionCPE
argoprojargo_cd*cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*

Related

cve 1
osv 3
nvd 1
veracode 1
gitlab 1
cvelist 1
prion 1
cve
cve
CVE-2022-31054
2022-06-13 20:15:07
osv
osv
Uses of deprecated API can be used to cause DoS in user-facing endpoints in github.com/argoproj/argo-events
2024-08-21 15:11:33
CVE-2022-31054
2022-06-13 20:15:07
Uses of deprecated API can be used to cause DoS in user-facing endpoints
2022-06-17 01:02:56
nvd
nvd
CVE-2022-31054
2022-06-13 20:15:07
veracode
veracode
Denial Of Service (DoS)
2022-06-14 07:28:54
gitlab
gitlab
Uncontrolled Resource Consumption
2022-06-17 00:00:00
cvelist
cvelist
CVE-2022-31054 Uses of deprecated API can be used to cause DoS in user-facing endpoints in Argo Events
2022-06-13 19:40:12
prion
prion
Design/Logic Flaw
2022-06-13 20:15:00

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

51.1%

JSON
Related for GHSA-5Q86-62XR-3R57
cve1osv3nvd1veracode1gitlab1cvelist1prion1