CVE-2022-31080

Description

### Impact A large response received by the viaduct WSClient can cause a DoS from memory exhaustion. The entire body of the response is being read into memory which could allow an attacker to send a request that returns a response with a large body. The consequence of the exhaustion is that the process which invokes a WSClient will be in a denial of service. It will be affected If users which are authenticated to the edge side and connect from the edge side to `cloudhub` through WebSocket protocol. ### Patches This bug has been fixed in Kubeedge 1.11.1, 1.10.2, 1.9.4. Users should update to these versions to resolve the issue. ### Workarounds At the time of writing, no workaround exists. ### References NA ### Credits Thanks David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the [kubeedge security policy](https://github.com/kubeedge/kubeedge/security/policy) during a security audit sponsored by CNCF and facilitated by OSTIF. ### For more information If you have any questions or comments about this advisory: * Open an issue in [KubeEdge repo](https://github.com/kubeedge/kubeedge/issues/new/choose) * To make a vulnerability report, email your vulnerability to the private [[email protected]](mailto:[email protected]) list with the security details and the details expected for [KubeEdge bug reports](https://github.com/kubeedge/kubeedge/blob/master/.github/ISSUE_TEMPLATE/bug-report.md).

Affected packages (2)

• Go/github.com/kubeedge/kubeedge>= 1.11.0, < 1.11.1
• Go/github.com/kubeedge/kubeedgefrom 0, < 1.9.4, >= 1.10.0, < 1.10.2, >= 1.11.0, < 1.11.1

CVSS scores

References (3)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-31080
• PATCHgithub.com/kubeedge/kubeedge
• WEBhttps://github.com/kubeedge/kubeedge/security/advisories/GHSA-6wvc-6pww-qr4r