CVE-2022-23525 — NULL Pointer Dereference in Helm

CWE-476 — NULL Pointer Dereference7 documents6 sources

Severity

7.5HIGHNVD

CNA5.3

EPSS

0.1%

top 81.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Helm Helm.sh Helm V3

Timeline

PublishedDec 15

Latest updateDec 22

Description

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be c…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5helm/helm< v3.10.3

▶NVDhelm/helm3.0.0 — 3.10.3

▶Gohelm.sh/helm_v3< 3.10.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Denial of service via repository index file in helm.sh/helm/v3↗2022-12-22

▶

CVEList

Helm vulnerable to Denial of service via NULL Pointer Dereference↗2022-12-15

▶

OSV

Helm vulnerable to denial of service through through repository index file↗2022-12-14

▶

GHSA

Helm vulnerable to denial of service through through repository index file↗2022-12-14

▶

📋Vendor Advisories

Red Hat

helm: Denial of service through through repository index file↗2022-12-15

▶

Microsoft

Helm vulnerable to Denial of service via NULL Pointer Dereference↗2022-12-13

▶