CVE-2022-31054

Name of the Vulnerable Software and Affected Versions Argo Events versions prior to 1.7.1

Description Argo Events is an event-driven workflow automation framework for Kubernetes. The issue arises from the use of the deprecated ioutil.ReadAll() function in several HandleRoute endpoints, which reads all data into memory. This allows an attacker to send a large request to the Argo Events server, causing it to crash and resulting in a denial of service. The affected endpoints can be used to cause a denial of service. Events sources susceptible to this out-of-memory denial-of-service attack include AWS SNS, Bitbucket, Gitlab, Slack, Storagegrid, and Webhook.

Recommendations For versions prior to 1.7.1, update to Argo Events version 1.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the HandleRoute endpoints to minimize the risk of exploitation. Avoid sending large requests to the Argo Events server until the issue is resolved.