#VU70619 Input validation error in Helm - CVE-2022-23525

Cybersecurity Help s.r.o.

Published: 2023-01-03

Vulnerability identifier: #VU70619

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-23525

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Helm
Web applications / CMS

Vendor: The Helm Project

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in the repo package when parsing a repository index file. A remote attacker can pass specially crafted repository index file to the application and perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Helm: 3.0.0 - 3.10.2

External links
https://github.com/helm/helm/commit/638ebffbc2e445156f3978f02fd83d9af1e56f5b
https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Multiple vulnerabilities in Dell Streaming Data Platform

Multiple vulnerabilities in OpenShift Container Platform 4.13

SUSE update for helm3

Multiple vulnerabilities in OpenShift Container Platform 4.12

SUSE update for helm

Multiple vulnerabilities in Helm