CVE-2022-23525

CVSS V2 None CVSS V3 None
Description
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions.
Overview
  • CVE ID
  • CVE-2022-23525
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-15T19:15:17
  • Last Modified Date
  • 2022-12-20T15:56:37
Weakness Enumerations
CWE URL
CWE-476 http://cwe.mitre.org/data/definitions/476.html
CWE-476 http://cwe.mitre.org/data/definitions/476.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:* 1 OR 3.0.0 3.10.3
References
Reference URL Reference Tags
https://github.com/helm/helm/commit/638ebffbc2e445156f3978f02fd83d9af1e56f5b
https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-23525
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23525
History
Created Old Value New Value Data Type Notes
2022-12-15 19:16:03 Added to TrackCVE
2022-12-15 20:15:18 2022-12-15T19:15:17.027 2022-12-15T19:15:17 CVE Published Date updated
2022-12-15 20:15:18 2022-12-15T19:56:28 CVE Modified Date updated
2022-12-15 20:15:18 Received Awaiting Analysis Vulnerability Status updated
2022-12-18 09:30:13 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2022-12-21 07:02:29 2022-12-20T15:56:37 CVE Modified Date updated
2022-12-21 07:02:29 Undergoing Analysis Analyzed Vulnerability Status updated
2022-12-21 07:02:30 Weakness Enumeration new
2022-12-21 07:02:31 CPE Information updated