SB2023010306 - Multiple vulnerabilities in Helm
Published: January 3, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2022-23524)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the strvals package when parsing string values. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
2) Input validation error (CVE-ID: CVE-2022-23525)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the repo package when parsing a repository index file. A remote attacker can pass specially crafted repository index file to the application and perform a denial of service (DoS) attack.
3) Input validation error (CVE-ID: CVE-2022-23526)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the chartutil package. A remote attacker can pass specially crafted JSON Schema validation file to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/helm/helm/security/advisories/GHSA-6rx9-889q-vv2r
- https://github.com/helm/helm/commit/638ebffbc2e445156f3978f02fd83d9af1e56f5b
- https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q
- https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33
- https://github.com/helm/helm/commit/bafafa8bb1b571b61d7a9528da8d40c307dade3d