CVE-2022-31077

Name of the Vulnerable Software and Affected Versions KubeEdge versions prior to 1.11.0 KubeEdge versions prior to 1.10.1 KubeEdge versions prior to 1.9.3

Description A malicious message response from KubeEdge can crash the CSI Driver controller server by triggering a nil-pointer dereference panic, resulting in a denial of service. This issue affects KubeEdge, which extends native containerized application orchestration and device management to hosts at the Edge. An attacker would need to be an authenticated user of the Cloud and launch the csidriver to potentially exploit this issue.

Recommendations For versions prior to 1.11.0, update to version 1.11.0 to resolve the issue. For versions prior to 1.10.1, update to version 1.10.1 to resolve the issue. For versions prior to 1.9.3, update to version 1.9.3 to resolve the issue. As a temporary workaround, consider restricting access to the CSI Driver controller server until a patch is applied. At the moment, there are no other workarounds available.