Skip to content

Uses of deprecated API can be used to cause DoS in user-facing endpoints

High
whynowy published GHSA-5q86-62xr-3r57 Jun 13, 2022

Package

gomod github.com/argoproj/argo-events (Go)

Affected versions

< v1.7.1

Patched versions

v1.7.1

Description

Impact

Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service.

Eventsources susceptible to an out-of-memory denial-of-service attack:

  • AWS SNS
  • Bitbucket
  • Bitbucket
  • Gitlab
  • Slack
  • Storagegrid
  • Webhook

Patches

A patch for this vulnerability has been released in the following Argo Events version:

v1.7.1

Credits

Disclosed by Ada Logics in a security audit sponsored by CNCF and facilitated by OSTIF.

For more information

Open an issue in the Argo Events issue tracker or discussions
Join us on Slack in channel #argo-events

Severity

High

CVE ID

CVE-2022-31054

Weaknesses

No CWEs

Credits