Vulnerabilities > CVE-2022-31054 - Out-of-bounds Write vulnerability in Argo Events Project Argo Events
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several `HandleRoute` endpoints make use of the deprecated `ioutil.ReadAll()`. `ioutil.ReadAll()` reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. A patch for this vulnerability has been released in Argo Events version 1.7.1.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35
- https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35
- https://github.com/argoproj/argo-events/issues/1946
- https://github.com/argoproj/argo-events/issues/1946
- https://github.com/argoproj/argo-events/pull/1966
- https://github.com/argoproj/argo-events/pull/1966
- https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57
- https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57