CVE-2022-23526

CVSS V2 None CVSS V3 None
Description
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions.
Overview
  • CVE ID
  • CVE-2022-23526
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-15T19:15:17
  • Last Modified Date
  • 2022-12-20T14:40:23
Weakness Enumerations
CWE URL
CWE-476 http://cwe.mitre.org/data/definitions/476.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:* 1 OR 3.0.0 3.10.3
References
Reference URL Reference Tags
https://github.com/helm/helm/commit/bafafa8bb1b571b61d7a9528da8d40c307dade3d
https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-23526
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23526
History
Created Old Value New Value Data Type Notes
2022-12-15 19:16:03 Added to TrackCVE
2022-12-15 20:15:19 2022-12-15T19:15:17.167 2022-12-15T19:15:17 CVE Published Date updated
2022-12-15 20:15:19 2022-12-15T19:56:28 CVE Modified Date updated
2022-12-15 20:15:19 Received Awaiting Analysis Vulnerability Status updated
2022-12-18 09:30:14 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2022-12-21 07:02:29 2022-12-20T14:40:23 CVE Modified Date updated
2022-12-21 07:02:29 Undergoing Analysis Analyzed Vulnerability Status updated
2022-12-21 07:02:31 CPE Information updated