OpenCVE

Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fluxcd	Flux2 Helm-controller
Helm	Helm

Configuration 1 [-]

cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:fluxcd:flux2::::::::
	cpe:2.3:a:fluxcd:helm-controller::::::::

No data.

References

Link	Providers
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360
https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3
https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-07T20:15:13

Updated: 2024-08-03T09:52:00.382Z

Reserved: 2022-07-15T00:00:00

Link: CVE-2022-36049

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-07T21:15:08.483

Modified: 2024-11-21T07:12:16.093

Link: CVE-2022-36049

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "flux2", "vendor": "fluxcd", "versions": [{"status": "affected", "version": ">= 0.0.4, < 0.23.0"}, {"status": "affected", "version": ">= 0.0.17, < 0.32.0"}]}], "descriptions": [{"lang": "en", "value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-07T20:15:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"}], "source": {"advisory": "GHSA-p2g7-xwvr-rrw3", "discovery": "UNKNOWN"}, "title": "Flux2 Helm Controller denial of service", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36049", "STATE": "PUBLIC", "TITLE": "Flux2 Helm Controller denial of service"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "flux2", "version": {"version_data": [{"version_value": ">= 0.0.4, < 0.23.0"}, {"version_value": ">= 0.0.17, < 0.32.0"}]}}]}, "vendor_name": "fluxcd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3", "refsource": "CONFIRM", "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"}, {"name": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh", "refsource": "MISC", "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"}, {"name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996", "refsource": "MISC", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"}, {"name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360", "refsource": "MISC", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"}]}, "source": {"advisory": "GHSA-p2g7-xwvr-rrw3", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.382Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36049", "datePublished": "2022-09-07T20:15:13", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:52:00.382Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF12F100-CF74-44E7-9CA3-587E32370849", "versionEndExcluding": "3.9.4", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*", "matchCriteriaId": "29EFFD48-5825-4DB2-9D8B-44AE793C41F1", "versionEndExcluding": "0.32.0", "versionStartIncluding": "0.0.17", "vulnerable": true}, {"criteria": "cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3138403-4B4C-4C3D-A5BF-816E148A7799", "versionEndExcluding": "0.23.0", "versionStartIncluding": "0.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0."}, {"lang": "es", "value": "Flux2 es una herramienta para mantener los clusters de Kubernetes sincronizados con las fuentes de configuraci\u00f3n, y el controlador Helm de Flux es un operador de Kubernetes que permite administrar de forma declarativa los lanzamientos de gr\u00e1ficos de Helm. Helm-controller est\u00e1 estrechamente integrado con el SDK de Helm. Una vulnerabilidad encontrada en el SDK de Helm que afecta a flux2 versiones v0.0.17 hasta v0.32.0 y a helm-controller versiones v0.0.4 hasta v0.23.0, permite que determinadas entradas de datos causen un alto consumo de memoria. En algunas plataformas, esto podr\u00eda causar que el controlador entre en p\u00e1nico y deje de procesar las conciliaciones. En un entorno de cl\u00fasteres compartidos con m\u00faltiples inquilinos, un inquilino podr\u00eda crear un HelmRelease que hace que el controlador entre en p\u00e1nico, denegando a todos los dem\u00e1s inquilinos la reconciliaci\u00f3n de sus HelmRelease. Los parches est\u00e1n disponibles en flux2 versi\u00f3n v0.32.0 y helm-controller versi\u00f3n v0.23.0"}], "id": "CVE-2022-36049", "lastModified": "2024-11-21T07:12:16.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-07T21:15:08.483", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}