CVE-2022-23524

Name of the Vulnerable Software and Affected Versions Helm versions prior to 3.10.3

Description Helm is a tool for managing Charts, pre-configured Kubernetes resources. The issue results in Uncontrolled Resource Consumption, leading to Denial of Service. Input to functions in the strvals package can cause a stack overflow, which cannot be recovered from in Go. Applications using functions from the strvals package in the Helm SDK can suffer a Denial of Service attack when the package panics. The strvals package contains a parser that turns strings into Go structures, and some string inputs can cause array data structures to be created, leading to a stack overflow. The Helm Client will panic with input to flags like --set, --set-string, and other value setting flags that cause a stack overflow.

Recommendations For versions prior to 3.10.3, update to version 3.10.3 to resolve the issue. As a temporary workaround, SDK users can validate strings supplied by users to ensure they won't create large arrays causing significant memory usage before passing them to the strvals functions.