cvelistv5 - CVE-2022-36049

CVE-2022-36049 (GCVE-0-2022-36049)

Vulnerability from cvelistv5 – Published: 2022-09-07 20:15 – Updated: 2025-04-23 17:14

Summary

Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/fluxcd/flux2/security/advisori…	x_refsource_CONFIRM
	https://github.com/helm/helm/security/advisories/…	x_refsource_MISC
	https://bugs.chromium.org/p/oss-fuzz/issues/detai…	x_refsource_MISC
	https://bugs.chromium.org/p/oss-fuzz/issues/detai…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	fluxcd	flux2	Affected: >= 0.0.4, < 0.23.0 Affected: >= 0.0.17, < 0.32.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:52:00.382Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-36049",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T14:01:18.559491Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T17:14:00.853Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "flux2",
          "vendor": "fluxcd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.0.4, \u003c 0.23.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.0.17, \u003c 0.32.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-07T20:15:13.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
        }
      ],
      "source": {
        "advisory": "GHSA-p2g7-xwvr-rrw3",
        "discovery": "UNKNOWN"
      },
      "title": "Flux2 Helm Controller denial of service",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-36049",
          "STATE": "PUBLIC",
          "TITLE": "Flux2 Helm Controller denial of service"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "flux2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 0.0.4, \u003c 0.23.0"
                          },
                          {
                            "version_value": "\u003e= 0.0.17, \u003c 0.32.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "fluxcd"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400: Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3",
              "refsource": "CONFIRM",
              "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
            },
            {
              "name": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
              "refsource": "MISC",
              "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
            },
            {
              "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996",
              "refsource": "MISC",
              "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
            },
            {
              "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360",
              "refsource": "MISC",
              "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-p2g7-xwvr-rrw3",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-36049",
    "datePublished": "2022-09-07T20:15:13.000Z",
    "dateReserved": "2022-07-15T00:00:00.000Z",
    "dateUpdated": "2025-04-23T17:14:00.853Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.0.0\", \"versionEndExcluding\": \"3.9.4\", \"matchCriteriaId\": \"CF12F100-CF74-44E7-9CA3-587E32370849\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.0.17\", \"versionEndExcluding\": \"0.32.0\", \"matchCriteriaId\": \"29EFFD48-5825-4DB2-9D8B-44AE793C41F1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.0.4\", \"versionEndExcluding\": \"0.23.0\", \"matchCriteriaId\": \"D3138403-4B4C-4C3D-A5BF-816E148A7799\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.\"}, {\"lang\": \"es\", \"value\": \"Flux2 es una herramienta para mantener los clusters de Kubernetes sincronizados con las fuentes de configuraci\\u00f3n, y el controlador Helm de Flux es un operador de Kubernetes que permite administrar de forma declarativa los lanzamientos de gr\\u00e1ficos de Helm. Helm-controller est\\u00e1 estrechamente integrado con el SDK de Helm. Una vulnerabilidad encontrada en el SDK de Helm que afecta a flux2 versiones v0.0.17 hasta v0.32.0 y a helm-controller versiones v0.0.4 hasta v0.23.0, permite que determinadas entradas de datos causen un alto consumo de memoria. En algunas plataformas, esto podr\\u00eda causar que el controlador entre en p\\u00e1nico y deje de procesar las conciliaciones. En un entorno de cl\\u00fasteres compartidos con m\\u00faltiples inquilinos, un inquilino podr\\u00eda crear un HelmRelease que hace que el controlador entre en p\\u00e1nico, denegando a todos los dem\\u00e1s inquilinos la reconciliaci\\u00f3n de sus HelmRelease. Los parches est\\u00e1n disponibles en flux2 versi\\u00f3n v0.32.0 y helm-controller versi\\u00f3n v0.23.0\"}]",
      "id": "CVE-2022-36049",
      "lastModified": "2024-11-21T07:12:16.093",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\", \"baseScore\": 7.7, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2022-09-07T21:15:08.483",
      "references": "[{\"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-36049\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-09-07T21:15:08.483\",\"lastModified\":\"2024-11-21T07:12:16.093\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.\"},{\"lang\":\"es\",\"value\":\"Flux2 es una herramienta para mantener los clusters de Kubernetes sincronizados con las fuentes de configuraci\u00f3n, y el controlador Helm de Flux es un operador de Kubernetes que permite administrar de forma declarativa los lanzamientos de gr\u00e1ficos de Helm. Helm-controller est\u00e1 estrechamente integrado con el SDK de Helm. Una vulnerabilidad encontrada en el SDK de Helm que afecta a flux2 versiones v0.0.17 hasta v0.32.0 y a helm-controller versiones v0.0.4 hasta v0.23.0, permite que determinadas entradas de datos causen un alto consumo de memoria. En algunas plataformas, esto podr\u00eda causar que el controlador entre en p\u00e1nico y deje de procesar las conciliaciones. En un entorno de cl\u00fasteres compartidos con m\u00faltiples inquilinos, un inquilino podr\u00eda crear un HelmRelease que hace que el controlador entre en p\u00e1nico, denegando a todos los dem\u00e1s inquilinos la reconciliaci\u00f3n de sus HelmRelease. Los parches est\u00e1n disponibles en flux2 versi\u00f3n v0.32.0 y helm-controller versi\u00f3n v0.23.0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.9.4\",\"matchCriteriaId\":\"CF12F100-CF74-44E7-9CA3-587E32370849\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.0.17\",\"versionEndExcluding\":\"0.32.0\",\"matchCriteriaId\":\"29EFFD48-5825-4DB2-9D8B-44AE793C41F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.0.4\",\"versionEndExcluding\":\"0.23.0\",\"matchCriteriaId\":\"D3138403-4B4C-4C3D-A5BF-816E148A7799\"}]}]}],\"references\":[{\"url\":\"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T09:52:00.382Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-36049\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T14:01:18.559491Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T14:01:20.086Z\"}}], \"cna\": {\"title\": \"Flux2 Helm Controller denial of service\", \"source\": {\"advisory\": \"GHSA-p2g7-xwvr-rrw3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"fluxcd\", \"product\": \"flux2\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.0.4, \u003c 0.23.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.0.17, \u003c 0.32.0\"}]}], \"references\": [{\"url\": \"https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-09-07T20:15:13.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, \"source\": {\"advisory\": \"GHSA-p2g7-xwvr-rrw3\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003e= 0.0.4, \u003c 0.23.0\"}, {\"version_value\": \"\u003e= 0.0.17, \u003c 0.32.0\"}]}, \"product_name\": \"flux2\"}]}, \"vendor_name\": \"fluxcd\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3\", \"name\": \"https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\", \"name\": \"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\", \"refsource\": \"MISC\"}, {\"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996\", \"name\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996\", \"refsource\": \"MISC\"}, {\"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360\", \"name\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-400: Uncontrolled Resource Consumption\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-36049\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Flux2 Helm Controller denial of service\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-36049\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T17:14:00.853Z\", \"dateReserved\": \"2022-07-15T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-09-07T20:15:13.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2022-36049

Vulnerability from fkie_nvd - Published: 2022-09-07 21:15 - Updated: 2024-11-21 07:12

Severity ?

7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996	Mailing List, Third Party Advisory
security-advisories@github.com	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360	Mailing List, Third Party Advisory
security-advisories@github.com	https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3	Third Party Advisory
security-advisories@github.com	https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh	Third Party Advisory

Impacted products

Vendor	Product	Version
helm	helm	*
fluxcd	flux2	*
fluxcd	helm-controller	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF12F100-CF74-44E7-9CA3-587E32370849",
              "versionEndExcluding": "3.9.4",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "29EFFD48-5825-4DB2-9D8B-44AE793C41F1",
              "versionEndExcluding": "0.32.0",
              "versionStartIncluding": "0.0.17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3138403-4B4C-4C3D-A5BF-816E148A7799",
              "versionEndExcluding": "0.23.0",
              "versionStartIncluding": "0.0.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."
    },
    {
      "lang": "es",
      "value": "Flux2 es una herramienta para mantener los clusters de Kubernetes sincronizados con las fuentes de configuraci\u00f3n, y el controlador Helm de Flux es un operador de Kubernetes que permite administrar de forma declarativa los lanzamientos de gr\u00e1ficos de Helm. Helm-controller est\u00e1 estrechamente integrado con el SDK de Helm. Una vulnerabilidad encontrada en el SDK de Helm que afecta a flux2 versiones v0.0.17 hasta v0.32.0 y a helm-controller versiones v0.0.4 hasta v0.23.0, permite que determinadas entradas de datos causen un alto consumo de memoria. En algunas plataformas, esto podr\u00eda causar que el controlador entre en p\u00e1nico y deje de procesar las conciliaciones. En un entorno de cl\u00fasteres compartidos con m\u00faltiples inquilinos, un inquilino podr\u00eda crear un HelmRelease que hace que el controlador entre en p\u00e1nico, denegando a todos los dem\u00e1s inquilinos la reconciliaci\u00f3n de sus HelmRelease. Los parches est\u00e1n disponibles en flux2 versi\u00f3n v0.32.0 y helm-controller versi\u00f3n v0.23.0"
    }
  ],
  "id": "CVE-2022-36049",
  "lastModified": "2024-11-21T07:12:16.093",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-09-07T21:15:08.483",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2022-36049

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-36049

Aliases

CVE-2022-36049

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-36049",
    "description": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.",
    "id": "GSD-2022-36049"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-36049"
      ],
      "details": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.",
      "id": "GSD-2022-36049",
      "modified": "2023-12-13T01:19:21.481844Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-36049",
        "STATE": "PUBLIC",
        "TITLE": "Flux2 Helm Controller denial of service"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "flux2",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 0.0.4, \u003c 0.23.0"
                        },
                        {
                          "version_value": "\u003e= 0.0.17, \u003c 0.32.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "fluxcd"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3",
            "refsource": "CONFIRM",
            "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
          },
          {
            "name": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
            "refsource": "MISC",
            "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
          },
          {
            "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996",
            "refsource": "MISC",
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
          },
          {
            "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360",
            "refsource": "MISC",
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-p2g7-xwvr-rrw3",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=v0.0.17 \u003cv0.32.0",
          "affected_versions": "All versions starting from 0.0.17 before 0.32.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-770",
            "CWE-937"
          ],
          "date": "2022-09-16",
          "description": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.",
          "fixed_versions": [
            "v0.32.0"
          ],
          "identifier": "CVE-2022-36049",
          "identifiers": [
            "GHSA-p2g7-xwvr-rrw3",
            "CVE-2022-36049"
          ],
          "not_impacted": "All versions before 0.0.17, all versions starting from 0.32.0",
          "package_slug": "go/github.com/fluxcd/flux2",
          "pubdate": "2022-09-16",
          "solution": "Upgrade to version 0.32.0 or above.",
          "title": "Allocation of Resources Without Limits or Throttling",
          "urls": [
            "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3",
            "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-36049",
            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996",
            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360",
            "https://github.com/advisories/GHSA-p2g7-xwvr-rrw3"
          ],
          "uuid": "6722dadf-2c30-41a2-8690-03f69437a3e9",
          "versions": [
            {
              "commit": {
                "sha": "e2fd6e8f86967f0db5faae53d8a78d224ef5b84a",
                "tags": [
                  "v0.0.17"
                ],
                "timestamp": "20200820135930"
              },
              "number": "v0.0.17"
            },
            {
              "commit": {
                "sha": "c8ba59dc297ae49a31b0e34b8a13dc0ba923418a",
                "tags": [
                  "v0.32.0"
                ],
                "timestamp": "20220811142933"
              },
              "number": "v0.32.0"
            }
          ]
        },
        {
          "affected_range": "\u003e=v0.0.4 \u003cv0.23.0",
          "affected_versions": "All versions starting from 0.0.4 before 0.23.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-770",
            "CWE-937"
          ],
          "date": "2022-09-16",
          "description": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.",
          "fixed_versions": [
            "v0.23.0"
          ],
          "identifier": "CVE-2022-36049",
          "identifiers": [
            "GHSA-p2g7-xwvr-rrw3",
            "CVE-2022-36049"
          ],
          "not_impacted": "All versions before 0.0.4, all versions starting from 0.23.0",
          "package_slug": "go/github.com/fluxcd/helm-controller",
          "pubdate": "2022-09-16",
          "solution": "Upgrade to version 0.23.0 or above.",
          "title": "Allocation of Resources Without Limits or Throttling",
          "urls": [
            "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3",
            "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-36049",
            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996",
            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360",
            "https://github.com/advisories/GHSA-p2g7-xwvr-rrw3"
          ],
          "uuid": "6e3405a1-8018-4c89-964e-8a4a90cf9f0e",
          "versions": [
            {
              "commit": {
                "sha": "3a7b447fd9a93dfccb2a2a9ef9881f3183d63e02",
                "tags": [
                  "v0.0.4"
                ],
                "timestamp": "20200820122316"
              },
              "number": "v0.0.4"
            },
            {
              "commit": {
                "sha": "5c28d56eadcdb610a57cbb1045476860bd344c43",
                "tags": [
                  "v0.23.0"
                ],
                "timestamp": "20220819101601"
              },
              "number": "v0.23.0"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.9.4",
                "versionStartIncluding": "3.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.23.0",
                "versionStartIncluding": "0.0.4",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.32.0",
                "versionStartIncluding": "0.0.17",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-36049"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux\u0027s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
            },
            {
              "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
            },
            {
              "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
            },
            {
              "name": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-09-12T18:29Z",
      "publishedDate": "2022-09-07T21:15Z"
    }
  }
}

MSRC_CVE-2022-36049

Vulnerability from csaf_microsoft - Published: 2022-09-02 00:00 - Updated: 2022-09-13 00:00

Summary

Flux2 Helm Controller denial of service

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2022-36049 Flux2 Helm Controller denial of service - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-36049.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Flux2 Helm Controller denial of service",
    "tracking": {
      "current_release_date": "2022-09-13T00:00:00.000Z",
      "generator": {
        "date": "2025-10-19T23:55:36.228Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2022-36049",
      "initial_release_date": "2022-09-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-09-13T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.0",
                "product": {
                  "name": "CBL Mariner 1.0",
                  "product_id": "16820"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccm1 helm 3.4.1-17",
                "product": {
                  "name": "\u003ccm1 helm 3.4.1-17",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "cm1 helm 3.4.1-17",
                "product": {
                  "name": "cm1 helm 3.4.1-17",
                  "product_id": "18620"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 helm 3.9.4-2",
                "product": {
                  "name": "\u003ccbl2 helm 3.9.4-2",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 helm 3.9.4-2",
                "product": {
                  "name": "cbl2 helm 3.9.4-2",
                  "product_id": "18621"
                }
              }
            ],
            "category": "product_name",
            "name": "helm"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccm1 helm 3.4.1-17 as a component of CBL Mariner 1.0",
          "product_id": "16820-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cm1 helm 3.4.1-17 as a component of CBL Mariner 1.0",
          "product_id": "18620-16820"
        },
        "product_reference": "18620",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 helm 3.9.4-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 helm 3.9.4-2 as a component of CBL Mariner 2.0",
          "product_id": "18621-17086"
        },
        "product_reference": "18621",
        "relates_to_product_reference": "17086"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-36049",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "18620-16820",
          "18621-17086"
        ],
        "known_affected": [
          "16820-2",
          "17086-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-36049 Flux2 Helm Controller denial of service - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-36049.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-13T00:00:00.000Z",
          "details": "3.4.1-17:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "16820-2"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-09-13T00:00:00.000Z",
          "details": "3.9.4-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-1"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "environmentalsScore": 0.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "16820-2",
            "17086-1"
          ]
        }
      ],
      "title": "Flux2 Helm Controller denial of service"
    }
  ]
}

GHSA-P2G7-XWVR-RRW3

Vulnerability from github – Published: 2022-09-16 18:49 – Updated: 2022-09-16 18:49

Summary

Helm Controller denial of service

Details

Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK allows for specific data inputs to cause high memory consumption, which in some platforms could cause the controller to panic and stop processing reconciliations.

Impact

In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled.

Credits

The initial crash bug was reported by oss-fuzz. The Flux Security team produced the first exploit and worked together with the Helm Security team to ensure that both projects were patched timely.

For more information

If you have any questions or comments about this advisory: - Open an issue in any of the affected repositories. - Contact us at the CNCF Flux Channel.

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996
https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh

Severity ?

7.7 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fluxcd/helm-controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.4"
            },
            {
              "fixed": "0.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fluxcd/flux2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.17"
            },
            {
              "fixed": "0.32.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T18:49:48Z",
    "nvd_published_at": "2022-09-07T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Helm controller is tightly integrated with the Helm SDK. [A vulnerability](https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh) found in the Helm SDK allows for specific data inputs to cause high memory consumption, which in some platforms could cause the controller to panic and stop processing reconciliations.\n\n### Impact\nIn a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled.\n\n### Credits\n\nThe initial crash bug was reported by [oss-fuzz](https://github.com/google/oss-fuzz). The Flux Security team produced the first exploit and worked together with the Helm Security team to ensure that both projects were patched timely.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n- Open an issue in any of the affected repositories.\n- Contact us at the CNCF Flux Channel.\n\n### References\n\n- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360\n- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996\n- https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\n",
  "id": "GHSA-p2g7-xwvr-rrw3",
  "modified": "2022-09-16T18:49:48Z",
  "published": "2022-09-16T18:49:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36049"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fluxcd/flux2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Helm Controller denial of service"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-36049 (GCVE-0-2022-36049)

FKIE_CVE-2022-36049

GSD-2022-36049

MSRC_CVE-2022-36049

GHSA-P2G7-XWVR-RRW3

Impact

Credits

For more information

References

Tags

Sightings

Nomenclature