CVE-2022-39272
MEDIUM5.0EPSS 0.33%Denial of service in flux controllers in github.com/fluxcd modules
Published: 10/19/2022Modified: 2/4/2026
Description
Flux controllers are vulnerable to a denial of service attack. Users that have permissions to change Flux's objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval or .spec.timeout (and structured variations of these fields), causing the entire object type to stop being processed. The issue has two root causes: a) the Kubernetes type metav1.Duration is not fully compatible with the Go type time.Duration as explained in https://github.com/kubernetes/apimachinery/issues/131, and b) a lack of validation within Flux to restrict allowed values.
Affected packages (21)
- Bitnami/flux>= 0.1.0, < 0.35.0
- Bitnami/kustomize>= 0.0.2, < 0.29.0
- Go/github.com/fluxcd/flux2>= 0.1.0, < 0.35.0
- Go/github.com/fluxcd/helm-controller>= 0.0.1-alpha-1, < 0.24.0
- Go/github.com/fluxcd/helm-controller/apifrom 0, < 0.26.0
- Go/github.com/fluxcd/helm-controller/apifrom 0, < 0.26.0
- Go/github.com/fluxcd/image-automation-controller>= 0.1.0, < 0.26.0
- Go/github.com/fluxcd/image-automation-controller/apifrom 0, < 0.26.1
- Go/github.com/fluxcd/image-automation-controller/apifrom 0, < 0.26.1
- Go/github.com/fluxcd/image-reflector-controller>= 0.1.0, < 0.22.0
- Go/github.com/fluxcd/image-reflector-controller/apifrom 0, < 0.22.1
- Go/github.com/fluxcd/image-reflector-controller/apifrom 0, < 0.22.1
- Go/github.com/fluxcd/kustomize-controller>= 0.0.1-alpha-1, < 0.29.0
- Go/github.com/fluxcd/kustomize-controller/apifrom 0, < 0.30.0
- Go/github.com/fluxcd/kustomize-controller/apifrom 0, < 0.30.0
- Go/github.com/fluxcd/notification-controller>= 0.0.1-alpha-1, < 0.27.0
- Go/github.com/fluxcd/notification-controller/apifrom 0, < 0.28.0
- Go/github.com/fluxcd/notification-controller/apifrom 0, < 0.28.0
- Go/github.com/fluxcd/source-controller>= 0.0.1-alpha-1, < 0.30.0
- Go/github.com/fluxcd/source-controller/apifrom 0, < 0.30.0
- Go/github.com/fluxcd/source-controller/apifrom 0, < 0.30.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L |
References (13)
- ADVISORYhttps://github.com/advisories/GHSA-f4p5-x4vc-mh4v
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-39272
- PATCHhttps://github.com/fluxcd/flux2
- WEBhttps://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v
- WEBhttps://github.com/fluxcd/helm-controller/pull/533
- WEBhttps://github.com/fluxcd/image-automation-controller/pull/439
- WEBhttps://github.com/fluxcd/image-reflector-controller/pull/314
- WEBhttps://github.com/fluxcd/kustomize-controller/pull/731
- WEBhttps://github.com/fluxcd/notification-controller/pull/420
- WEBhttps://github.com/fluxcd/source-controller/pull/903
- WEBhttps://github.com/kubernetes/apimachinery#131
- WEBhttps://github.com/kubernetes/apimachinery/issues/131
- WEBhttps://pkg.go.dev/vuln/GO-2022-1071