CVE-2022-36049 : Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configur

Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.

Published 2022-09-07 21:15:08

Updated 2022-09-12 18:29:37

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-36049

Helm » Helm
Versions from including (>=) 3.0.0 and before (<) 3.9.4
cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*
Matching versions
Fluxcd » Flux2
Versions from including (>=) 0.0.17 and before (<) 0.32.0
cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*
Matching versions
Fluxcd » Helm-controller
Versions from including (>=) 0.0.4 and before (<) 0.23.0
cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-36049

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 29 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-36049

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H	3.1	4.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-36049

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Assigned by: security-advisories@github.com (Secondary)
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-36049

https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3

Helm Controller denial of service · Advisory · fluxcd/flux2 · GitHub
Third Party Advisory
https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh

Denial of service through string value parsing · Advisory · helm/helm · GitHub
Third Party Advisory

CVEs referencing this url
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996

44996 - helm:fuzz_engine_render: Out-of-memory in fuzz_engine_render - oss-fuzz
Mailing List;Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360

48360 - fluxcd:fuzz_helmrelease_composevalues: Out-of-memory in fuzz_helmrelease_composevalues - oss-fuzz
Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-36049

Products affected by CVE-2022-36049

Exploit prediction scoring system (EPSS) score for CVE-2022-36049

CVSS scores for CVE-2022-36049

CWE ids for CVE-2022-36049

References for CVE-2022-36049