CVE-2022-31054 Argo Events is an automation framework for Kubernetes that uses `ioutil.ReadAll()` before version 1.7.1.
The following versions have been reported to be vulnerable: 1.7.0
1.7.1 To check if your application is vulnerable, open the server's log file and search for the string `ioutil.ReadAll()` to determine if the application is vulnerable. If it is, upgrade the application to 1.7.1 to fix this vulnerability. To upgrade your application, follow the instructions in the release notes for your application.
Vulnerable code example code
The following code is vulnerable and could result in a SQL injection if not fixed.
var sql = "SELECT * FROM Products WHERE Id >= ?";
var products = db.ExecuteReader(sql);
What is Apache TomEE?
Apache TomEE is a Java EE web application server developed by the Apache Software Foundation. It was released on May 29th, 2013.
TomEE includes an embedded OpenJDK and enables developers to develop Java EE 6 applications quickly with minimal overhead.
Vulnerable versions
Vulnerable versions are listed below, along with the release notes for each version:
1.7.0: `ioutil.ReadAll()` Vulnerability
Release Notes: "Added a method to allow users to disable the triggering of auth requests in order to fix an issue with some web framework applications not handling authentication."
Timeline
Published on: 06/13/2022 20:15:00 UTC
Last modified on: 06/27/2022 16:48:00 UTC
References
- https://github.com/argoproj/argo-events/security/advisories/GHSA-5q86-62xr-3r57
- https://github.com/argoproj/argo-events/issues/1946
- https://github.com/argoproj/argo-events/commit/eaabcb6d65022fc34a0cc9ea7f00681abd326b35
- https://github.com/argoproj/argo-events/pull/1966
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31054