CVE-2022-31054
HIGH7.5EPSS 0.56%Uses of deprecated API can be used to cause DoS in user-facing endpoints
Description
### Impact Several `HandleRoute` endpoints make use of the deprecated `ioutil.ReadAll()`. `ioutil.ReadAll()` reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. Eventsources susceptible to an out-of-memory denial-of-service attack: - AWS SNS - Bitbucket - Bitbucket - Gitlab - Slack - Storagegrid - Webhook ### Patches A patch for this vulnerability has been released in the following Argo Events version: v1.7.1 ### Credits Disclosed by [Ada Logics](https://adalogics.com/) in a security audit sponsored by CNCF and facilitated by OSTIF. ### For more information Open an issue in the [Argo Events issue tracker](https://github.com/argoproj/argo-events/issues) or [discussions](https://github.com/argoproj/argo-events/discussions) Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-events
Affected packages (2)
- Go/github.com/argoproj/argo-eventsfrom 0, < 1.7.1
- Go/github.com/argoproj/argo-eventsfrom 0, < 1.7.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-31054
- PATCHhttps://github.com/argoproj/argo-events
- WEBhttps://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35
- WEBhttps://github.com/argoproj/argo-events/issues/1946
- WEBhttps://github.com/argoproj/argo-events/pull/1966
- WEBhttps://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57