cvedb.io
CVE-2022-39272
MEDIUM · CVSS 5
EPSS exploitation probability: 0%
Published 2022-10-22T00:15:09.310 · Last modified 2026-06-17T04:58:02.757

Summary

Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

Affected products

fluxcd — flux2

Does this affect you?

Add your gear to cvedb and we'll alert you only when fluxcd ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.