Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-6rx9-889q-vv2r #1167

Closed
GoVulnBot opened this issue Dec 14, 2022 · 1 comment
Closed

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-6rx9-889q-vv2r #1167

GoVulnBot opened this issue Dec 14, 2022 · 1 comment
Assignees
@timothy-king
Labels
NeedsReport

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-6rx9-889q-vv2r, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
helm.sh/helm/v3 3.10.3 <= 3.10.2

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: TODO (earliest fixed "3.10.3", vuln range "<= 3.10.2")
    packages:
      - package: helm.sh/helm/v3
description: "Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input
    to functions in the _strvals_ package that can cause a stack overflow. In Go,
    a stack overflow cannot be recovered from. Applications that use functions from
    the _strvals_ package in the Helm SDK can have a Denial of Service attack when
    they use this package and it panics.\n\n### Impact\n\nThe _strvals_ package contains
    a parser that turns strings into Go structures. For example, the Helm client has
    command line flags like `--set`, `--set-string`, and others that enable the user
    to pass in strings that are merged into the values. The _strvals_ package converts
    these strings into structures Go can work with. Some string inputs can cause array
    data structures to be created causing a stack overflow.\n\nApplications that use
    the _strvals_ package in the Helm SDK to parse user supplied input can suffer
    a Denial of Service when that input causes a panic that cannot be recovered from.\n\nThe
    Helm Client will panic with input to `--set`, `--set-string`, and other value
    setting flags that causes a stack overflow. Helm is not a long running service
    so the panic will not affect future uses of the Helm client.\n\n### Patches\n\nThis
    issue has been resolved in 3.10.3. \n\n### Workarounds\n\nSDK users can validate
    strings supplied by users won't create large arrays causing significant memory
    usage before passing them to the _strvals_ functions.\n\n### For more information\n\nHelm's
    security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md)
    document.\n\n### Credits\n\nDisclosed by Ada Logics in a fuzzing audit sponsored
    by CNCF."
cves:
  - CVE-2022-23524
ghsas:
  - GHSA-6rx9-889q-vv2r
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timothy-king timothy-king

Labels
NeedsReport
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timothy-king @gopherbot @GoVulnBot