7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31054

GHSA ID

GHSA-5q86-62xr-3r57

EPSS Score

0.66421%

CWE

CWE-400

Published

6/17/2022

Updated

1/27/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31054

CVE-2022-31054: Uses of deprecated API can be used to cause DoS in user-facing endpoints

Impact

Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service.

Eventsources susceptible to an out-of-memory denial-of-service attack:

AWS SNS
Bitbucket
Bitbucket
Gitlab
Slack
Storagegrid
Webhook

Patches

A patch for this vulnerability has been released in the following Argo Events version:

v1.7.1

Credits

Disclosed by Ada Logics in a security audit sponsored by CNCF and facilitated by OSTIF.

For more information

Open an issue in the Argo Events issue tracker or discussions Join us on Slack in channel #argo-events

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31054

GHSA ID

GHSA-5q86-62xr-3r57

EPSS Score

0.66421%

CWE

CWE-400

Published

6/17/2022

Updated

1/27/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/argoproj/argo-events	go	< 1.7.1	1.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using deprecated ioutil.ReadAll() which reads entire request bodies into memory. The commit diff shows replacements of ioutil.ReadAll() with io.ReadAll combined with http.MaxBytesReader in multiple event source handlers. The affected components listed in the advisory (AWS SNS, Bitbucket, Gitlab, etc.) correspond to these patched files. Each identified function was directly modified in the security patch, indicating they were vulnerable endpoints allowing DoS via large payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t S*v*r*l `**n*l*Rout*` *n*points m*k* us* o* t** **pr***t** `ioutil.R****ll()`. `ioutil.R****ll()` r***s *ll t** **t* into m*mory. *s su**, *n *tt**k*r w*o s*n*s * l*r** r*qu*st to t** *r*o *v*nts s*rv*r will ** **l* to *r*s* it *n* **us* *

Reasoning

T** vuln*r**ility st*ms *rom usin* **pr***t** `ioutil.R****ll()` w*i** r***s *ntir* r*qu*st *o*i*s into m*mory. T** *ommit *i** s*ows r*pl***m*nts o* `ioutil.R****ll()` wit* `io.R****ll` *om*in** wit* `*ttp.M*x*yt*sR****r` in multipl* *v*nt sour** **

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-31054: Uses of deprecated API can be used to cause DoS in user-facing endpoints

Impact

Patches

Credits

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI