{"containers": {"cna": {"affected": [{"product": "kubeedge", "vendor": "kubeedge", "versions": [{"status": "affected", "version": "< 1.9.4"}, {"status": "affected", "version": ">= 1.10.0, < 1.10.2"}, {"status": "affected", "version": "= 1.11.0"}]}], "descriptions": [{"lang": "en", "value": "KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the ServiceBus server on the edge side may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. It is possible for the node to be exhausted of memory. The consequence of the exhaustion is that other services on the node, e.g. other containers, will be unable to allocate memory and thus causing a denial of service. Malicious apps accidentally pulled by users on the host and have the access to send HTTP requests to localhost may make an attack. It will be affected only when users enable the `ServiceBus` module in the config file `edgecore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the `ServiceBus` module in the config file `edgecore.yaml`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-11T20:05:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/kubeedge/kubeedge/pull/4038"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/kubeedge/kubeedge/pull/4039"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/kubeedge/kubeedge/pull/4042"}], "source": {"advisory": "GHSA-vwm6-qc77-v2rh", "discovery": "UNKNOWN"}, "title": "KubeEdge Edge ServiceBus module DoS", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31073", "STATE": "PUBLIC", "TITLE": "KubeEdge Edge ServiceBus module DoS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "kubeedge", "version": {"version_data": [{"version_value": "< 1.9.4"}, {"version_value": ">= 1.10.0, < 1.10.2"}, {"version_value": "= 1.11.0"}]}}]}, "vendor_name": "kubeedge"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the ServiceBus server on the edge side may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. It is possible for the node to be exhausted of memory. The consequence of the exhaustion is that other services on the node, e.g. other containers, will be unable to allocate memory and thus causing a denial of service. Malicious apps accidentally pulled by users on the host and have the access to send HTTP requests to localhost may make an attack. It will be affected only when users enable the `ServiceBus` module in the config file `edgecore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the `ServiceBus` module in the config file `edgecore.yaml`."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh", "refsource": "CONFIRM", "url": "https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh"}, {"name": "https://github.com/kubeedge/kubeedge/pull/4038", "refsource": "MISC", "url": "https://github.com/kubeedge/kubeedge/pull/4038"}, {"name": "https://github.com/kubeedge/kubeedge/pull/4039", "refsource": "MISC", "url": "https://github.com/kubeedge/kubeedge/pull/4039"}, {"name": "https://github.com/kubeedge/kubeedge/pull/4042", "refsource": "MISC", "url": "https://github.com/kubeedge/kubeedge/pull/4042"}]}, "source": {"advisory": "GHSA-vwm6-qc77-v2rh", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:11:38.399Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kubeedge/kubeedge/pull/4038"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kubeedge/kubeedge/pull/4039"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kubeedge/kubeedge/pull/4042"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31073", "datePublished": "2022-07-11T20:05:13", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:11:38.399Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:kubeedge:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A932E23-CC93-426C-B4D6-90A7D920CB95", "versionEndExcluding": "1.9.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:kubeedge:*:*:*:*:*:*:*:*", "matchCriteriaId": "8ABDAE98-2267-449F-9FB0-D7A0536D2DE0", "versionEndExcluding": "1.10.2", "versionStartIncluding": "1.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:kubeedge:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D1541C6-7E77-43CC-982C-27768120D625", "versionEndExcluding": "1.11.1", "versionStartIncluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the ServiceBus server on the edge side may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. It is possible for the node to be exhausted of memory. The consequence of the exhaustion is that other services on the node, e.g. other containers, will be unable to allocate memory and thus causing a denial of service. Malicious apps accidentally pulled by users on the host and have the access to send HTTP requests to localhost may make an attack. It will be affected only when users enable the `ServiceBus` module in the config file `edgecore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the `ServiceBus` module in the config file `edgecore.yaml`."}, {"lang": "es", "value": "KubeEdge es un sistema de c\u00f3digo abierto para extender las capacidades de orquestaci\u00f3n de aplicaciones nativas en contenedores a los hosts en Edge. En versiones anteriores a 1.11.1, 1.10.2 y 1.9.4, el servidor ServiceBus en el lado del borde puede ser susceptible de un ataque DoS si le es enviada una petici\u00f3n HTTP que contenga un cuerpo muy grande. Es posible que el nodo quede sin memoria. La consecuencia del agotamiento es que otros servicios en el nodo, por ejemplo, otros contenedores, ser\u00e1n incapaces de asignar memoria, causando as\u00ed una denegaci\u00f3n de servicio. Las aplicaciones maliciosas que accidentalmente sean arrastradas por los usuarios en el host y tengan acceso a enviar peticiones HTTP al localhost pueden realizar un ataque. S\u00f3lo est\u00e1 afectado cuando los usuarios habiliten el m\u00f3dulo \"ServiceBus\" en el archivo de configuraci\u00f3n \"edgecore.yaml\". Este error ha sido corregido en Kubeedge versiones 1.11.1, 1.10.2 y 1.9.4. Como mitigaci\u00f3n, deshabilite el m\u00f3dulo \"ServiceBus\" en el archivo de configuraci\u00f3n \"edgecore.yaml\""}], "id": "CVE-2022-31073", "lastModified": "2022-07-16T13:38:49.150", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-07-11T20:15:08.627", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/kubeedge/kubeedge/pull/4038"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/kubeedge/kubeedge/pull/4039"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/kubeedge/kubeedge/pull/4042"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}