CVE-2022-23524

Aliases:GHSA-6rx9-889q-vv2rBIT-helm-2022-23524GO-2022-1167
Advisory lineage Upstream: 0 Downstream: 3
Modified
Published: 15 Dec 2022, 00:28
Last modified:18 Apr 2025, 15:59

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.08% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

15 Dec 2022, 00:28
Published
Vulnerability first disclosed
18 Apr 2025, 15:59
Last Modified
Vulnerability information updated

Description

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.

CVSS Metrics

  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.08% Percentile: 23%

Techniques & Countermeasures

  • CWE-400Uncontrolled Resource Consumption

    The product does not properly control the allocation and maintenance of a limited resource.

  • CWE-770Allocation of Resources Without Limits or Throttling

    The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

  • helm.sh/helmv3

    < 3.10.3

  • helmhelm

    < v3.10.3 | ≥ 3.0.0, < 3.10.3

References (5)