Adam Korcz

Name of the Vulnerable Software and Affected Versions: body-parser versions prior to 1.20.3 Description: The issue concerns a denial of service vulnerability when URL encoding is enabled. A malicious actor can use a specially crafted payload to flood the server with a large number of requests, resulting in denial of service. Recommendations: For versions prior to 1.20.3, update to version 1.20.3 to resolve the issue. As a temporary workaround, consider disabling URL encoding until a patch is available. Restrict access to the server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Helm versions prior to 3.10.3 **Description** Helm is a tool for managing Charts, pre-configured Kubernetes resources. The issue results in Uncontrolled Resource Consumption, leading to Denial of Service. Input to functions in the ` strvals ` package can cause a stack overflow, which cannot be recovered from in Go. Applications using functions from the ` strvals ` package in the Helm SDK can suffer a Denial of Service attack when the package panics. The ` strvals ` package contains a parser that turns strings into Go structures, and some string inputs can cause array data structures to be created, leading to a stack overflow. The Helm Client will panic with input to flags like `--set`, `--set-string`, and other value setting flags that cause a stack overflow. **Recommendations** For versions prior to 3.10.3, update to version 3.10.3 to resolve the issue. As a temporary workaround, SDK users can validate strings supplied by users to ensure they won't create large arrays causing significant memory usage before passing them to the ` strvals ` functions.

**Name of the Vulnerable Software and Affected Versions** Helm versions prior to 3.10.3 **Description** The issue concerns a NULL Pointer Dereference in the `chartutil` package that can cause a segmentation violation. This package contains a parser that loads a JSON Schema validation file, which can be used by the Helm client to validate chart values. Certain schema files can cause array data structures to be created, leading to a memory violation. This can result in a Denial of Service when the input causes a panic that cannot be recovered from. The Helm client will panic with a schema file that causes a memory violation panic, but since Helm is not a long-running service, the panic will not affect future uses of the Helm client. **Recommendations** For versions prior to 3.10.3, update to version 3.10.3 to resolve the issue. As a temporary workaround, SDK users can validate schema files that are correctly formatted before passing them to the `chartutil` functions.

**Name of the Vulnerable Software and Affected Versions** Helm versions prior to 3.9.4 **Description** The issue is related to the strvals package in the Helm SDK, which contains a parser that turns strings into Go structures. Some string inputs can cause array data structures to be created, leading to an out of memory panic. Applications that use the strvals package to parse user-supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 3.9.4, update to version 3.9.4 to resolve the issue. As a temporary workaround, SDK users can validate strings supplied by users to ensure they won't create large arrays causing significant memory usage before passing them to the strvals functions.

**Name of the Vulnerable Software and Affected Versions** Argo Events versions prior to 1.7.1 **Description** Argo Events is an event-driven workflow automation framework for Kubernetes. The issue arises from the use of the deprecated `ioutil.ReadAll()` function in several `HandleRoute` endpoints, which reads all data into memory. This allows an attacker to send a large request to the Argo Events server, causing it to crash and resulting in a denial of service. The affected endpoints can be used to cause a denial of service. Events sources susceptible to this out-of-memory denial-of-service attack include AWS SNS, Bitbucket, Gitlab, Slack, Storagegrid, and Webhook. **Recommendations** For versions prior to 1.7.1, update to Argo Events version 1.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the `HandleRoute` endpoints to minimize the risk of exploitation. Avoid sending large requests to the Argo Events server until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CRI-O versions prior to 1.24.1 CRI-O versions prior to 1.23.3 CRI-O versions prior to 1.22.5 CRI-O versions prior to v1.21.8 CRI-O versions prior to v1.20.8 CRI-O versions prior to v1.19.7 **Description** A vulnerability in CRI-O causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large, it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability. **Recommendations** For CRI-O versions prior to 1.24.1, update to version 1.24.1 or later. For CRI-O versions prior to 1.23.3, update to version 1.23.3 or later. For CRI-O versions prior to 1.22.5, update to version 1.22.5 or later. For CRI-O versions prior to v1.21.8, update to version v1.21.8 or later. For CRI-O versions prior to v1.20.8, update to version v1.20.8 or later. For CRI-O versions prior to v1.19.7, update to version v1.19.7 or later. As a temporary workaround, consider restricting access to the Kube API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** kustomize-controller versions prior to 0.15.0 **Description** The issue is related to the kustomize-controller, a Kubernetes operator for running continuous delivery pipelines. It allows users who can create Kubernetes Secrets, Service Accounts, and Flux Kustomization objects to execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. The vulnerability affects multitenant environments where non-admin users have permissions to create Flux Kustomization objects. **Recommendations** To resolve the issue, update to kustomize-controller version 0.15.0 or later, which no longer executes shell commands on the container OS and has the `kubectl` binary removed from the container image. As a temporary workaround, consider using a Kubernetes validation webhook, such as Gatekeeper OPA or Kyverno, to prevent the creation of Kubernetes Service Accounts with secrets in namespaces owned by tenants.