CVE-2022-36049 — Uncontrolled Resource Consumption in Fluxcd Flux2

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling5 documents5 sources

Severity

7.5HIGHNVD

CNA7.7

EPSS

0.2%

top 54.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Fluxcd Flux2 Github.com Fluxcd Helm-controller Fluxcd Flux2 +2 more

Timeline

PublishedSep 7

Latest updateSep 16

Description

Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to pan…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDfluxcd/helm-controller0.0.4 — 0.23.0

▶Gogithub.com/fluxcd_helm-controller0.0.4 — 0.23.0

▶NVDhelm/helm3.0.0 — 3.9.4

▶NVDfluxcd/flux20.0.17 — 0.32.0

▶Gogithub.com/fluxcd_flux20.0.17 — 0.32.0

🔴Vulnerability Details

GHSA

Helm Controller denial of service↗2022-09-16

▶

OSV

Helm Controller denial of service↗2022-09-16

▶

CVEList

Flux2 Helm Controller denial of service↗2022-09-07

▶

📋Vendor Advisories

Microsoft

Flux2 Helm Controller denial of service↗2022-09-13

▶