CVE-2022-31054

Uncontrolled Resource Consumption in go/github.com/argoproj/argo-events

Identifiers

GHSA-5q86-62xr-3r57, CVE-2022-31054

Package Slug

go/github.com/argoproj/argo-events

Vulnerability

Uncontrolled Resource Consumption

Description

Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. A patch for this vulnerability has been released in Argo Events version 1.7.1.

Affected Versions

All versions before 1.7.1

Solution

Upgrade to version 1.7.1 or above.

Last Modified

2022-06-17

source