| id: GO-2022-0962 |
| modules: |
| - module: helm.sh/helm/v3 |
| versions: |
| - fixed: 3.9.4 |
| vulnerable_at: 3.9.3 |
| packages: |
| - package: helm.sh/helm/v3/pkg/strvals |
| symbols: |
| - setIndex |
| derived_symbols: |
| - Parse |
| - ParseFile |
| - ParseInto |
| - ParseIntoFile |
| - ParseIntoString |
| - ParseString |
| - ToYAML |
| summary: Denial of service through string value parsing in helm.sh/helm/v3 |
| description: |- |
| Applications that use the strvals package in the Helm SDK to parse user supplied |
| input can suffer a Denial of Service when that input causes a panic that cannot |
| be recovered from. |
| |
| The strvals package contains a parser that turns strings into Go structures. For |
| example, the Helm client has command line flags like --set, --set-string, and |
| others that enable the user to pass in strings that are merged into the values. |
| The strvals package converts these strings into structures Go can work with. |
| Some string inputs can cause array data structures to be created causing an out |
| of memory panic. |
| |
| The Helm Client will panic with input to --set, --set-string, and other value |
| setting flags that causes an out of memory panic. Helm is not a long running |
| service so the panic will not affect future uses of the Helm client. |
| published: 2022-09-02T15:19:52Z |
| cves: |
| - CVE-2022-36055 |
| ghsas: |
| - GHSA-7hfp-qfw3-5jxh |
| related: |
| - CVE-2022-36049 |
| - GHSA-p2g7-xwvr-rrw3 |
| credits: |
| - Ada Logics in a fuzzing audit sponsored by CNCF |
| references: |
| - advisory: https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh |
| - fix: https://github.com/helm/helm/commit/10466e3e179cc8cad4b0bb451108d3c442c69fbc |
| - web: https://github.com/helm/helm/releases/tag/v3.9.4 |
| review_status: REVIEWED |