cnvd - cnvd-2022-62221

CNVD-2022-62221

Vulnerability from cnvd - Published: 2022-09-08

Title

Helm资源管理错误漏洞

Description

Helm是一款Kubernetes包管理器。 Helm 3.9.3版本及之前版本存在资源管理错误漏洞，该漏洞源于 CNCF 提供的模糊测试识别了 _strvals_ 包中可能导致内存不足恐慌的函数的输入。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

Helm资源管理错误漏洞的补丁

Patch Description

Helm是一款Kubernetes包管理器。 Helm 3.9.3版本及之前版本存在资源管理错误漏洞，该漏洞源于 CNCF 提供的模糊测试识别了 _strvals_ 包中可能导致内存不足恐慌的函数的输入。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh

Reference

https://cxsecurity.com/cveshow/CVE-2022-36055/

Impacted products

Name
helm helm

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-36055"
    }
  },
  "description": "Helm\u662f\u4e00\u6b3eKubernetes\u5305\u7ba1\u7406\u5668\u3002\n\nHelm 3.9.3\u7248\u672c\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e CNCF \u63d0\u4f9b\u7684\u6a21\u7cca\u6d4b\u8bd5\u8bc6\u522b\u4e86 _strvals_ \u5305\u4e2d\u53ef\u80fd\u5bfc\u81f4\u5185\u5b58\u4e0d\u8db3\u6050\u614c\u7684\u51fd\u6570\u7684\u8f93\u5165\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-62221",
  "openTime": "2022-09-08",
  "patchDescription": "Helm\u662f\u4e00\u6b3eKubernetes\u5305\u7ba1\u7406\u5668\u3002\r\n\r\nHelm 3.9.3\u7248\u672c\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e CNCF \u63d0\u4f9b\u7684\u6a21\u7cca\u6d4b\u8bd5\u8bc6\u522b\u4e86 _strvals_ \u5305\u4e2d\u53ef\u80fd\u5bfc\u81f4\u5185\u5b58\u4e0d\u8db3\u6050\u614c\u7684\u51fd\u6570\u7684\u8f93\u5165\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Helm\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "helm helm"
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2022-36055/",
  "serverity": "\u4e2d",
  "submitTime": "2022-09-05",
  "title": "Helm\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2022-36055 (GCVE-0-2022-36055)

Vulnerability from cvelistv5 – Published: 2022-09-01 12:15 – Updated: 2025-04-23 17:32

Summary

Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/helm/helm/security/advisories/…	x_refsource_CONFIRM
	https://github.com/helm/helm/releases/tag/v3.9.4	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	helm	helm	Affected: < 3.9.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:52:00.289Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/helm/helm/releases/tag/v3.9.4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-36055",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T14:01:38.428309Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T17:32:44.520Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "helm",
          "vendor": "helm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.9.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-01T12:15:13.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/helm/helm/releases/tag/v3.9.4"
        }
      ],
      "source": {
        "advisory": "GHSA-7hfp-qfw3-5jxh",
        "discovery": "UNKNOWN"
      },
      "title": "Denial of service in Helm",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-36055",
          "STATE": "PUBLIC",
          "TITLE": "Denial of service in Helm"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "helm",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 3.9.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "helm"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400: Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
              "refsource": "CONFIRM",
              "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
            },
            {
              "name": "https://github.com/helm/helm/releases/tag/v3.9.4",
              "refsource": "MISC",
              "url": "https://github.com/helm/helm/releases/tag/v3.9.4"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-7hfp-qfw3-5jxh",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-36055",
    "datePublished": "2022-09-01T12:15:13.000Z",
    "dateReserved": "2022-07-15T00:00:00.000Z",
    "dateUpdated": "2025-04-23T17:32:44.520Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-62221

CVE-2022-36055 (GCVE-0-2022-36055)

Tags

Sightings

Nomenclature