CVE-2022-31080

MEDIUM

KubeEdge <1.11.1, <1.10.2, <1.9.4 - DoS

Title source: llm

Description

KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, a large response received by the viaduct WSClient can cause a DoS from memory exhaustion. The entire body of the response is being read into memory which could allow an attacker to send a request that returns a response with a large body. The consequence of the exhaustion is that the process which invokes a WSClient will be in a denial of service. The software is affected If users who are authenticated to the edge side connect to `cloudhub` from the edge side through WebSocket protocol. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. There are currently no known workarounds.

References (1)

Core 1

Core References

Third Party Advisory x_refsource_confirm

https://github.com/kubeedge/kubeedge/security/advisories/GHSA-6wvc-6pww-qr4r

Scores

CVSS v3 4.4

EPSS 0.0034

EPSS Percentile 57.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770 CWE-400

Status published

Products (2)

kubeedge/kubeedge 1.11.0 - 1.11.1Go

linuxfoundation/kubeedge < 1.9.4

Published Jul 11, 2022

Tracked Since Feb 18, 2026