CVE-2022-31077 MEDIUM

CVE-2022-31077: Malicious response from KubeEdge can crash CSI Driver controller server

Vendor Kubeedge
Product kubeedge
Weakness CWE-476
Published June 27, 2022
Last update April 23, 2025

CVSS base score

4.0/10
Attack vector Adjacent
Attack complexity High
Privileges required High
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. In affected versions a malicious message response from KubeEdge can crash the CSI Driver controller server by triggering a nil-pointer dereference panic. As a consequence, the CSI Driver controller will be in denial of service. This bug has been fixed in Kubeedge 1.11.0, 1.10.1, and 1.9.3. Users should update to these versions to resolve the issue. At the time of writing, no workaround exists.

Key dates

02Disclosure timeline

June 27, 2022 CVE published
April 23, 2025 Record updated