CVE-2022-39272

Name of the Vulnerable Software and Affected Versions Flux versions prior to 0.35.0

Description The issue concerns a Denial of Service in Flux, an open and extensible continuous delivery solution for Kubernetes. Users with permissions to change Flux's objects can provide invalid data to fields spec.interval or spec.timeout, causing the entire object type to stop being processed. This is due to two root causes: the Kubernetes type metav1.Duration not being fully compatible with the Go type time.Duration, and a lack of validation within Flux to restrict allowed values.

Recommendations For versions prior to 0.35.0, upgrade to version 0.35.0 or later to resolve the issue. As a temporary workaround, consider employing Admission controllers to restrict the values that can be used for fields spec.interval and spec.timeout.