CVE-2022-31054 – github.com/argoproj/argo-events

Package

Manager: go
Name: github.com/argoproj/argo-events
Vulnerable Version: >=0 <1.7.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00534 pctl0.66424

Details

Uses of deprecated API can be used to cause DoS in user-facing endpoints ### Impact Several `HandleRoute` endpoints make use of the deprecated `ioutil.ReadAll()`. `ioutil.ReadAll()` reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. Eventsources susceptible to an out-of-memory denial-of-service attack: - AWS SNS - Bitbucket - Bitbucket - Gitlab - Slack - Storagegrid - Webhook ### Patches A patch for this vulnerability has been released in the following Argo Events version: v1.7.1 ### Credits Disclosed by [Ada Logics](https://adalogics.com/) in a security audit sponsored by CNCF and facilitated by OSTIF. ### For more information Open an issue in the [Argo Events issue tracker](https://github.com/argoproj/argo-events/issues) or [discussions](https://github.com/argoproj/argo-events/discussions) Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-events

Metadata

Created: 2022-06-17T01:02:56Z
Modified: 2022-06-29T21:49:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-5q86-62xr-3r57/GHSA-5q86-62xr-3r57.json
CWE IDs: ["CWE-400", "CWE-787"]
Alternative ID: GHSA-5q86-62xr-3r57
Finding: F002
Auto approve: 1