CVE-2022-36055Uncontrolled Resource Consumption in Helm

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling8 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 74.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
HelmHelm.sh Helm V3
Timeline
PublishedSep 1
Latest updateJan 15

Description

Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5helm/helm< 3.9.4
NVDhelm/helm3.0.03.9.4
Gohelm.sh/helm_v3< 3.9.4

🔴Vulnerability Details

4
OSV
Denial of service through string value parsing in helm.sh/helm/v32022-09-02
CVEList
Denial of service in Helm2022-09-01
GHSA
Helm Vulnerable to denial of service through string value parsing2022-08-30
OSV
Helm Vulnerable to denial of service through string value parsing2022-08-30

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (Helm) — CVE-2022-360552023-01-15
Microsoft
Denial of service in Helm2022-09-13
Red Hat
helm: memory panic2022-09-01
CVE-2022-36055 — Uncontrolled Resource Consumption | cvebase