PT-2022-20513 · Kubeedge · Kubeedge

Adam Korczynski

Published

2022-07-11

Updated

2024-08-21

CVE-2022-31078

CVSS v3.1

4.4

Medium

Vector

AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions KubeEdge versions prior to 1.11.1 KubeEdge versions prior to 1.10.2 KubeEdge versions prior to 1.9.4

Description The CloudCore Router in KubeEdge does not impose a limit on the size of responses to requests made by the REST handler, allowing an attacker to make a request that will return an HTTP response with a large body and cause a denial of service. This can occur when the router module is enabled in the config file cloudcore.yaml. Only an authenticated user of the cloud can make an attack. The consequence of the exhaustion is that CloudCore will be in a denial of service.

Recommendations For versions prior to 1.11.1, update to version 1.11.1 or later. For versions prior to 1.10.2, update to version 1.10.2 or later. For versions prior to 1.9.4, update to version 1.9.4 or later. As a temporary workaround, disable the router module in the config file cloudcore.yaml by setting enable to false.

Exploit

Fix

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

CVE-2022-31078

GHSA-QPX3-9565-5XWM

GO-2022-0510

Affected Products

Kubeedge

PT-2022-20513 · Kubeedge · Kubeedge

CVE-2022-31078

Weakness Enumeration

Related Identifiers

Affected Products

References · 8