CVE-2022-23526: Helm contains Denial of service through schema file
First published: Wed Dec 14 2022(Updated: )
A flaw was found in Helm, a tool for managing Charts, a pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that could cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation files into structures Go can work with. Some schema files can cause array data structures to be created, causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema files may result in a denial of service.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/helm.sh/helm/v3 | <3.10.3 | 3.10.3 |
| Helm Helm | >=3.0.0<3.10.3 | |
| redhat/helm.sh/helm/v3 | <3.10.3 | 3.10.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33
- https://github.com/helm/helm/commit/bafafa8bb1b571b61d7a9528da8d40c307dade3d
- https://nvd.nist.gov/vuln/detail/CVE-2022-23526
- https://pkg.go.dev/vuln/GO-2022-1166
- https://github.com/advisories/GHSA-67fx-wx78-jx33 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2155938
- https://access.redhat.com/errata/RHSA-2023:1646
- https://access.redhat.com/errata/RHSA-2023:1326
- https://access.redhat.com/security/cve/cve-2022-23526
- https://access.redhat.com/errata/RHSA-2023:5006
- https://bugzilla.redhat.com/show_bug.cgi?id=2154196
- https://www.cve.org/CVERecord?id=CVE-2022-23526 https://nvd.nist.gov/vuln/detail/CVE-2022-23526 https://github.com/helm/helm/commit/bafafa8bb1b571b61d7a9528da8d40c307dade3d https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33
Frequently Asked Questions
What is CVE-2022-23526?
CVE-2022-23526 is a vulnerability found in Helm, a tool for managing Charts, where input to functions in the `_chartutil_` package can cause a segmentation violation, leading to a Denial of Service attack.
What is the severity of CVE-2022-23526?
The severity of CVE-2022-23526 is high, with a CVSS score of 7.5.
Which software versions are affected by CVE-2022-23526?
Versions up to and excluding 3.10.3 of the Helm SDK and Helm package for Go and Red Hat are affected by CVE-2022-23526.
How can the CVE-2022-23526 vulnerability be fixed?
To fix the CVE-2022-23526 vulnerability, update Helm to version 3.10.3 or later.
What is the CWE for CVE-2022-23526?
The CWE for CVE-2022-23526 is CWE-476 (NULL Pointer Dereference).
- collector/github-advisory-latest
- alias/GHSA-67fx-wx78-jx33
- alias/CVE-2022-23526
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/event
- agent/tags
- agent/description
- package-manager/go
- vendor/helm
- canonical/helm helm
- version/helm helm/3.0.0
- package-manager/redhat