Описание
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The repo package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The repo package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the repo package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the repo functions.
A flaw was found in Helm. Applications that use the repo package in Helm SDK to parse an index file may suffer a denial of service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic.
Отчет
Red Hat has rated this a Moderate impact as Helm is a user utility, which when ran locally, interacts with the kubernetes API. As such, a panic in the Helm client does not constitute an availability impact to the rest of the system(s).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Will not fix | ||
| Cryostat 2 | cryostat-tech-preview/cryostat-rhel8-operator | Not affected | ||
| OpenShift Developer Tools and Services | jenkins-operator-container | Will not fix | ||
| OpenShift Serverless | openshift-serverless-1/ingress-rhel8-operator | Will not fix | ||
| Red Hat 3scale API Management Platform 2 | 3scale-operator-container | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-rhel8 | Will not fix | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-central-db-rhel8 | Affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-docs-rhel8 | Affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-main-rhel8 | Affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-rhel8-operator | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before pa
Helm vulnerable to Denial of service via NULL Pointer Dereference
Helm is a tool for managing Charts, pre-configured Kubernetes resource ...
Helm vulnerable to denial of service through through repository index file
EPSS
7.5 High
CVSS3