Vulnerability Description
KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. In affected versions a malicious message response from KubeEdge can crash the CSI Driver controller server by triggering a nil-pointer dereference panic. As a consequence, the CSI Driver controller will be in denial of service. This bug has been fixed in Kubeedge 1.11.0, 1.10.1, and 1.9.3. Users should update to these versions to resolve the issue. At the time of writing, no workaround exists.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Kubeedge | < 1.9.3 |
Related Weaknesses (CWE)
References
- https://github.com/kubeedge/kubeedge/pull/3899PatchThird Party Advisory
- https://github.com/kubeedge/kubeedge/pull/3899/commits/5d60ae9eabd6b6b7afe38758ePatchThird Party Advisory
- https://github.com/kubeedge/kubeedge/security/advisories/GHSA-x938-fvfw-7jh5Third Party Advisory
- https://github.com/kubeedge/kubeedge/pull/3899PatchThird Party Advisory
- https://github.com/kubeedge/kubeedge/pull/3899/commits/5d60ae9eabd6b6b7afe38758ePatchThird Party Advisory
- https://github.com/kubeedge/kubeedge/security/advisories/GHSA-x938-fvfw-7jh5Third Party Advisory
FAQ
What is CVE-2022-31077?
CVE-2022-31077 is a vulnerability with a CVSS score of 4.0 (MEDIUM). KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. In affected versions a malicious message response from KubeEdge...
How severe is CVE-2022-31077?
CVE-2022-31077 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-31077?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Kubeedge.