CVE-2022-36049

Name of the Vulnerable Software and Affected Versions flux2 versions 0.0.17 through 0.32.0 helm-controller versions 0.0.4 through 0.23.0

Description A vulnerability found in the Helm SDK affects flux2 and helm-controller, allowing specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. The issue is related to the strvals package in the Helm SDK, which can cause an out of memory panic when parsing user-supplied input.

Recommendations For flux2 versions 0.0.17 through 0.32.0, update to version 0.32.0 to resolve the issue. For helm-controller versions 0.0.4 through 0.23.0, update to version 0.23.0 to resolve the issue. As a temporary workaround, consider validating strings supplied by users to prevent large arrays from being created, causing significant memory usage. Restrict access to the HelmRelease feature in shared cluster multi-tenancy environments to minimize the risk of exploitation.