GMS-2022-5617: Improper use of metav1.Duration allows for Denial of Service
Flux controllers within the affected versions range is vulnerable to a denial of service attack. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval
or .spec.timeout
(and structured variations of these fields), causing the entire object type to stop being processed.
The issue has two root causes a) the Kubernetes type metav1.Duration
not being fully compatible with the Go type time.Duration
as explained on upstream report; b) lack of validation within Flux to restrict allowed values.
References
Detect and mitigate GMS-2022-5617 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →