CVE-2022-31054 Information

Description

Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1 several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. A patch for this vulnerability has been released in Argo Events version 1.7.1.

Reference

https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57 https://github.com/argoproj/argo-events/issues/1946 https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35 https://github.com/argoproj/argo-events/pull/1966