| modules: |
| - module: helm.sh/helm/v3 |
| versions: |
| - fixed: 3.9.4 |
| vulnerable_at: 3.9.3 |
| packages: |
| - package: helm.sh/helm/v3/pkg/strvals |
| symbols: |
| - setIndex |
| derived_symbols: |
| - Parse |
| - ParseFile |
| - ParseInto |
| - ParseIntoFile |
| - ParseIntoString |
| - ParseString |
| - ToYAML |
| description: |- |
| Applications that use the strvals package in the Helm SDK to parse user |
| supplied input can suffer a Denial of Service when that input causes a |
| panic that cannot be recovered from. |
| |
| The strvals package contains a parser that turns strings into Go |
| structures. For example, the Helm client has command line flags like --set, |
| --set-string, and others that enable the user to pass in strings that are |
| merged into the values. The strvals package converts these strings into |
| structures Go can work with. Some string inputs can cause array data |
| structures to be created causing an out of memory panic. |
| |
| The Helm Client will panic with input to --set, --set-string, and other |
| value setting flags that causes an out of memory panic. Helm is not a long |
| running service so the panic will not affect future uses of the Helm client. |
| published: 2022-09-02T15:19:52Z |
| cves: |
| - CVE-2022-36055 |
| ghsas: |
| - GHSA-7hfp-qfw3-5jxh |
| credit: Ada Logics in a fuzzing audit sponsored by CNCF |
| references: |
| - advisory: https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh |
| - fix: https://github.com/helm/helm/commit/10466e3e179cc8cad4b0bb451108d3c442c69fbc |
| - web: https://github.com/helm/helm/releases/tag/v3.9.4 |