CVE-2022-39272 | Flux2 vulnerable to Denial of Service due to Improper use of metav1.Duration

Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be employed to restrict the values that can be used for fields `.spec.interval` and `.spec.timeout`, however upgrading to the latest versions is still the recommended mitigation.

Published: 2022-10-22 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2022-39272 is rated Low Risk (38.9/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.31%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2022-39272

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-21 0.20% 0.31% +0.11%
2 2025-11-18 0.32% 0.20% -0.12%
3 2025-11-03 0.32%

Full EPSS history (10 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2022-39272

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.0 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 3.1 1.4 [email protected]
4.3 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 2.8 1.4 [email protected]

Weakness enumeration for CVE-2022-39272

GitHub Security Advisory for CVE-2022-39272

GHSA-f4p5-x4vc-mh4v · Severity: medium · Ecosystem: go — Improper use of metav1.Duration allows for Denial of Service

OS Trackers for CVE-2022-39272

vendor priority summary link
alpine medium CVE-2022-39272: 1 source package rows (flux); 3 state rows across 3 repos (3.21-community, 3.22-community, edge-community); fixed 3, open 0. https://security.alpinelinux.org/vuln/CVE-2022-39272

Affected software / configurations for CVE-2022-39272

Vendor Product Version Raw CPE
fluxcd flux2 >= 0.1.0, < 0.35.0 cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*
fluxcd helm-controller >= 0.0.2, < 0.24.0 cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*
fluxcd helm-controller 0.0.1 cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha1:*:*:*:*:*:*
fluxcd helm-controller 0.0.1 cpe:2.3:a:fluxcd:helm-controller:0.0.1:alpha2:*:*:*:*:*:*
fluxcd helm-controller 0.0.1 cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta1:*:*:*:*:*:*
fluxcd helm-controller 0.0.1 cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta2:*:*:*:*:*:*
fluxcd helm-controller 0.0.1 cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta3:*:*:*:*:*:*
fluxcd helm-controller 0.0.1 cpe:2.3:a:fluxcd:helm-controller:0.0.1:beta4:*:*:*:*:*:*
fluxcd image-automation-controller >= 0.1.0, < 0.26.0 cpe:2.3:a:fluxcd:image-automation-controller:*:*:*:*:*:*:*:*
fluxcd image-reflector-controller >= 0.1.0, < 0.22.0 cpe:2.3:a:fluxcd:image-reflector-controller:*:*:*:*:*:*:*:*
fluxcd kustomize-controller >= 0.0.2, < 0.29.0 cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha1:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha2:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha3:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha4:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha5:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha6:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha7:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha8:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:alpha9:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta1:*:*:*:*:*:*
fluxcd kustomize-controller 0.0.1 cpe:2.3:a:fluxcd:kustomize-controller:0.0.1:beta2:*:*:*:*:*:*
fluxcd notification-controller >= 0.0.2, < 0.27.0 cpe:2.3:a:fluxcd:notification-controller:*:*:*:*:*:*:*:*
fluxcd notification-controller 0.0.1 cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha1:*:*:*:*:*:*
fluxcd notification-controller 0.0.1 cpe:2.3:a:fluxcd:notification-controller:0.0.1:alpha2:*:*:*:*:*:*
fluxcd notification-controller 0.0.1 cpe:2.3:a:fluxcd:notification-controller:0.0.1:beta1:*:*:*:*:*:*
fluxcd source-controller >= 0.0.2, < 0.30.0 cpe:2.3:a:fluxcd:source-controller:*:*:*:*:*:*:*:*
fluxcd source-controller 0.0.1 cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha1:*:*:*:*:*:*
fluxcd source-controller 0.0.1 cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha2:*:*:*:*:*:*
fluxcd source-controller 0.0.1 cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha3:*:*:*:*:*:*
fluxcd source-controller 0.0.1 cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha4:*:*:*:*:*:*
fluxcd source-controller 0.0.1 cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha5:*:*:*:*:*:*
fluxcd source-controller 0.0.1 cpe:2.3:a:fluxcd:source-controller:0.0.1:alpha6:*:*:*:*:*:*
fluxcd source-controller 0.0.1 cpe:2.3:a:fluxcd:source-controller:0.0.1:beta1:*:*:*:*:*:*
fluxcd source-controller 0.0.1 cpe:2.3:a:fluxcd:source-controller:0.0.1:beta2:*:*:*:*:*:*

References for CVE-2022-39272

cvelogic Threat Intelligence