CVE-2022-31080 is a vulnerability in Linux Foundation Kubeedge
Published on July 11, 2022
KubeEdge Websocket Client in package Viaduct: DoS from large response message
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, a large response received by the viaduct WSClient can cause a DoS from memory exhaustion. The entire body of the response is being read into memory which could allow an attacker to send a request that returns a response with a large body. The consequence of the exhaustion is that the process which invokes a WSClient will be in a denial of service. The software is affected If users who are authenticated to the edge side connect to `cloudhub` from the edge side through WebSocket protocol. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. There are currently no known workarounds.
Vulnerability Analysis
CVE-2022-31080 is exploitable with network access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2022-31080 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2022-31080
Want to know whenever a new CVE is published for Linux Foundation Kubeedge? stack.watch will email you.
Affected Versions
kubeedge:- Version = 1.11.0 is affected.
- Version >= 1.10.0, < 1.10.2 is affected.
- Version < 1.9.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.