CVE-2022-23526

Name of the Vulnerable Software and Affected Versions Helm versions prior to 3.10.3

Description The issue concerns a NULL Pointer Dereference in the chartutil package that can cause a segmentation violation. This package contains a parser that loads a JSON Schema validation file, which can be used by the Helm client to validate chart values. Certain schema files can cause array data structures to be created, leading to a memory violation. This can result in a Denial of Service when the input causes a panic that cannot be recovered from. The Helm client will panic with a schema file that causes a memory violation panic, but since Helm is not a long-running service, the panic will not affect future uses of the Helm client.

Recommendations For versions prior to 3.10.3, update to version 3.10.3 to resolve the issue. As a temporary workaround, SDK users can validate schema files that are correctly formatted before passing them to the chartutil functions.