logo

Database

Asymmetric denial of service In github.com/argoproj/argo-events

Description

Uses of deprecated API can be used to cause DoS in user-facing endpoints

Impact

Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service.

Eventsources susceptible to an out-of-memory denial-of-service attack:

    AWS SNS

    Bitbucket

    Bitbucket

    Gitlab

    Slack

    Storagegrid

    Webhook

Patches

A patch for this vulnerability has been released in the following Argo Events version:

v1.7.1

Credits

Disclosed by Ada Logics in a security audit sponsored by CNCF and facilitated by OSTIF.

For more information

Open an issue in the Argo Events issue tracker or discussions Join us on Slack in channel #argo-events

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-310542. NVD-2022-310543. OSV-2022-310544. GHSA-5q86-62xr-3r575. GCVE-2022-31054

References

1. https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r572. https://github.com/argoproj/argo-events/issues/19463. https://github.com/argoproj/argo-events/pull/19664. https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.