What is CVE-2022-36049?

CVE-2022-36049 is a vulnerability found in the Helm SDK that affects Helm, Flux2, and the Helm-controller.

What is the severity of CVE-2022-36049?

CVE-2022-36049 has a severity score of 7.5, which is considered high.

Which software is affected by CVE-2022-36049?

CVE-2022-36049 affects Helm, Flux2, and the Helm-controller.

How can I fix CVE-2022-36049?

To fix CVE-2022-36049, it is recommended to update Helm to version 3.9.4 or higher, Flux2 to version 0.32.0 or higher, and Helm-controller to version 0.23.0 or higher.

Where can I find more information about CVE-2022-36049?

You can find more information about CVE-2022-36049 at the following references: [Reference 1](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996), [Reference 2](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360), [Reference 3](https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3)

Vulnerability/
CVE-2022-36049

high

7.7

CWE

770 400

7/9/2022

3/8/2024

CVE-2022-36049: Flux2 Helm Controller denial of service

First published: Wed Sep 07 2022(Updated: )

Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Helm Helm	>=3.0.0<3.9.4
Fluxcd Flux2	>=0.0.17<0.32.0
Fluxcd Helm-controller	>=0.0.4<0.23.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-36049?
CVE-2022-36049 is a vulnerability found in the Helm SDK that affects Helm, Flux2, and the Helm-controller.
What is the severity of CVE-2022-36049?
CVE-2022-36049 has a severity score of 7.5, which is considered high.
Which software is affected by CVE-2022-36049?
CVE-2022-36049 affects Helm, Flux2, and the Helm-controller.
How can I fix CVE-2022-36049?
To fix CVE-2022-36049, it is recommended to update Helm to version 3.9.4 or higher, Flux2 to version 0.32.0 or higher, and Helm-controller to version 0.23.0 or higher.
Where can I find more information about CVE-2022-36049?
You can find more information about CVE-2022-36049 at the following references: [Reference 1](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996), [Reference 2](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360), [Reference 3](https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3)

collector/nvd-index
agent/type
agent/references
agent/weakness
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/author
agent/severity
agent/first-publish-date
agent/description
agent/tags
agent/event
vendor/helm
canonical/helm helm
version/helm helm/3.0.0
vendor/fluxcd
canonical/fluxcd flux2
version/fluxcd flux2/0.0.17
canonical/fluxcd helm-controller
version/fluxcd helm-controller/0.0.4

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.