NULL Pointer Dereference
CVE-2022-23525
Summary
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the "_repo_" package. The "_repo_" package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The "_repo_" package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the "_repo_" package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long-running service so the panic will not affect future uses of the Helm client. SDK users can validate index files that are correctly formatted before passing them to the "_repo_" functions.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
Advisory Timeline
- Published