Skip to main content

Uncontrolled Resource Consumption

CVE-2022-36055

Severity Medium
Score 6.5/10

Summary

Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the "_strvals_" package that can cause an out-of-memory panic. The "_strvals_" package contains a parser that turns strings into Go structures. The "_strvals_" package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out-of-memory panic. Applications that use the "_strvals_" package in the Helm SDK to parse user-supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out-of-memory panic in versions prior to 3.9.4. Helm is not a long-running service so the panic will not affect future uses of the Helm client. SDK users can validate strings supplied by users and won't create large arrays causing significant memory usage before passing them to the "_strvals_" functions.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • LOW
  • NONE
  • HIGH

CWE-400 - Uncontrolled resource consumption

An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.

Advisory Timeline

  • Published