{"id":"GO-2022-1071","summary":"Denial of service in flux controllers in github.com/fluxcd modules","details":"Flux controllers are vulnerable to a denial of service attack.\n\nUsers that have permissions to change Flux's objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval or .spec.timeout (and structured variations of these fields), causing the entire object type to stop being processed.\n\nThe issue has two root causes: a) the Kubernetes type metav1.Duration is not fully compatible with the Go type time.Duration as explained in https://github.com/kubernetes/apimachinery/issues/131, and b) a lack of validation within Flux to restrict allowed values.","aliases":["BIT-flux-2022-39272","BIT-kustomize-2022-39272","CVE-2022-39272","GHSA-f4p5-x4vc-mh4v"],"modified":"2026-03-17T04:29:12.424078Z","published":"2022-10-28T16:07:05Z","related":["CGA-hwg5-22j5-jjq4"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2022-1071"},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-f4p5-x4vc-mh4v"},{"type":"FIX","url":"https://github.com/fluxcd/helm-controller/pull/533"},{"type":"FIX","url":"https://github.com/fluxcd/image-automation-controller/pull/439"},{"type":"FIX","url":"https://github.com/fluxcd/image-reflector-controller/pull/314"},{"type":"FIX","url":"https://github.com/fluxcd/kustomize-controller/pull/731"},{"type":"FIX","url":"https://github.com/fluxcd/notification-controller/pull/420"},{"type":"FIX","url":"https://github.com/fluxcd/source-controller/pull/903"},{"type":"WEB","url":"https://github.com/kubernetes/apimachinery#131"}],"affected":[{"package":{"name":"github.com/fluxcd/helm-controller/api","ecosystem":"Go","purl":"pkg:golang/github.com/fluxcd/helm-controller/api"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.26.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/fluxcd/helm-controller/api/v2beta1"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-1071.json"}},{"package":{"name":"github.com/fluxcd/image-automation-controller/api","ecosystem":"Go","purl":"pkg:golang/github.com/fluxcd/image-automation-controller/api"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.26.1"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/fluxcd/image-automation-controller/api/v1beta1"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-1071.json"}},{"package":{"name":"github.com/fluxcd/image-reflector-controller/api","ecosystem":"Go","purl":"pkg:golang/github.com/fluxcd/image-reflector-controller/api"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.22.1"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/fluxcd/image-reflector-controller/api/v1beta1"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-1071.json"}},{"package":{"name":"github.com/fluxcd/kustomize-controller/api","ecosystem":"Go","purl":"pkg:golang/github.com/fluxcd/kustomize-controller/api"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.30.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/fluxcd/kustomize-controller/api/v1beta2"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-1071.json"}},{"package":{"name":"github.com/fluxcd/notification-controller/api","ecosystem":"Go","purl":"pkg:golang/github.com/fluxcd/notification-controller/api"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.28.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/fluxcd/notification-controller/api/v1beta1"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-1071.json"}},{"package":{"name":"github.com/fluxcd/source-controller/api","ecosystem":"Go","purl":"pkg:golang/github.com/fluxcd/source-controller/api"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.30.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/fluxcd/source-controller/api/v1beta2"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-1071.json"}}],"schema_version":"1.7.5","credits":[{"name":"Alexander Block (@codablock)"}]}