data/reports/GO-2022-1071.yaml - vulndb - Git at Google

 modules:
   - module: github.com/fluxcd/helm-controller/api
     versions:
       - fixed: 0.26.0
     vulnerable_at: 0.25.0
     packages:
       - package: github.com/fluxcd/helm-controller/api/v2beta1
   - module: github.com/fluxcd/image-automation-controller/api
     versions:
       - fixed: 0.26.1
     vulnerable_at: 0.26.0
     packages:
       - package: github.com/fluxcd/image-automation-controller/api/v1beta1
   - module: github.com/fluxcd/image-reflector-controller/api
     versions:
       - fixed: 0.22.1
     vulnerable_at: 0.22.0
     packages:
       - package: github.com/fluxcd/image-reflector-controller/api/v1beta1
   - module: github.com/fluxcd/kustomize-controller/api
     versions:
       - fixed: 0.30.0
     vulnerable_at: 0.29.0
     packages:
       - package: github.com/fluxcd/kustomize-controller/api/v1beta2
   - module: github.com/fluxcd/notification-controller/api
     versions:
       - fixed: 0.28.0
     vulnerable_at: 0.27.0
     packages:
       - package: github.com/fluxcd/notification-controller/api/v1beta1
   - module: github.com/fluxcd/source-controller/api
     versions:
       - fixed: 0.30.0
     vulnerable_at: 0.29.0
     packages:
       - package: github.com/fluxcd/source-controller/api/v1beta2
 description: |-
     Flux controllers are vulnerable to a denial of service attack.

     Users that have permissions to change Flux's objects, either through a Flux
     source or directly within a cluster, can provide invalid data to fields
     `.spec.interval` or `.spec.timeout` (and structured variations of these
     fields), causing the entire object type to stop being processed.

     The issue has two root causes: a) the Kubernetes type `metav1.Duration` is
     not fully compatible with the Go type `time.Duration` as explained in
     https://github.com/kubernetes/apimachinery/issues/131, and b)
     a lack of validation within Flux to restrict allowed values.
 cves:
   - CVE-2022-39272
 ghsas:
   - GHSA-f4p5-x4vc-mh4v
 credit: Alexander Block (@codablock)
 references:
   - advisory: https://github.com/advisories/GHSA-f4p5-x4vc-mh4v
   - fix: https://github.com/fluxcd/helm-controller/pull/533
   - fix: https://github.com/fluxcd/image-automation-controller/pull/439
   - fix: https://github.com/fluxcd/image-reflector-controller/pull/314
   - fix: https://github.com/fluxcd/kustomize-controller/pull/731
   - fix: https://github.com/fluxcd/notification-controller/pull/420
   - fix: https://github.com/fluxcd/source-controller/pull/903
   - web: https://github.com/kubernetes/apimachinery#131
	modules:
	- module: github.com/fluxcd/helm-controller/api
	versions:
	- fixed: 0.26.0
	vulnerable_at: 0.25.0
	packages:
	- package: github.com/fluxcd/helm-controller/api/v2beta1
	- module: github.com/fluxcd/image-automation-controller/api
	versions:
	- fixed: 0.26.1
	vulnerable_at: 0.26.0
	packages:
	- package: github.com/fluxcd/image-automation-controller/api/v1beta1
	- module: github.com/fluxcd/image-reflector-controller/api
	versions:
	- fixed: 0.22.1
	vulnerable_at: 0.22.0
	packages:
	- package: github.com/fluxcd/image-reflector-controller/api/v1beta1
	- module: github.com/fluxcd/kustomize-controller/api
	versions:
	- fixed: 0.30.0
	vulnerable_at: 0.29.0
	packages:
	- package: github.com/fluxcd/kustomize-controller/api/v1beta2
	- module: github.com/fluxcd/notification-controller/api
	versions:
	- fixed: 0.28.0
	vulnerable_at: 0.27.0
	packages:
	- package: github.com/fluxcd/notification-controller/api/v1beta1
	- module: github.com/fluxcd/source-controller/api
	versions:
	- fixed: 0.30.0
	vulnerable_at: 0.29.0
	packages:
	- package: github.com/fluxcd/source-controller/api/v1beta2
	description: \|-
	Flux controllers are vulnerable to a denial of service attack.

	Users that have permissions to change Flux's objects, either through a Flux
	source or directly within a cluster, can provide invalid data to fields
	`.spec.interval` or `.spec.timeout` (and structured variations of these
	fields), causing the entire object type to stop being processed.

	The issue has two root causes: a) the Kubernetes type `metav1.Duration` is
	not fully compatible with the Go type `time.Duration` as explained in
	https://github.com/kubernetes/apimachinery/issues/131, and b)
	a lack of validation within Flux to restrict allowed values.
	cves:
	- CVE-2022-39272
	ghsas:
	- GHSA-f4p5-x4vc-mh4v
	credit: Alexander Block (@codablock)
	references:
	- advisory: https://github.com/advisories/GHSA-f4p5-x4vc-mh4v
	- fix: https://github.com/fluxcd/helm-controller/pull/533
	- fix: https://github.com/fluxcd/image-automation-controller/pull/439
	- fix: https://github.com/fluxcd/image-reflector-controller/pull/314
	- fix: https://github.com/fluxcd/kustomize-controller/pull/731
	- fix: https://github.com/fluxcd/notification-controller/pull/420
	- fix: https://github.com/fluxcd/source-controller/pull/903
	- web: https://github.com/kubernetes/apimachinery#131