{"id":"CVE-2022-36049","summary":"Flux2 Helm Controller denial of service","details":"Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.","aliases":["BIT-flux-2022-36049","BIT-helm-2022-36049","GHSA-p2g7-xwvr-rrw3"],"modified":"2026-04-16T04:09:21.666547Z","published":"2022-09-07T20:15:13Z","related":["GHSA-7hfp-qfw3-5jxh","GHSA-p2g7-xwvr-rrw3","GO-2022-0962"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36049.json","cwe_ids":["CWE-400"]},"references":[{"type":"WEB","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996"},{"type":"WEB","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36049.json"},{"type":"ADVISORY","url":"https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3"},{"type":"ADVISORY","url":"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36049"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fluxcd/flux2","events":[{"introduced":"e2fd6e8f86967f0db5faae53d8a78d224ef5b84a"},{"fixed":"f2d749069e3fb4f33a6d0b8e7c66cd758bc6ae30"},{"introduced":"d387ebf32dc9324ac1d5e4b2473b49d8a43d1a0c"},{"fixed":"e2a38006646386965485d803cf310e39da00b3c7"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0.0.17"},{"fixed":"0.32.0"},{"introduced":"0.0.4"},{"fixed":"0.23.0"}],"cpe":["cpe:2.3:a:fluxcd:flux2:*:*:*:*:*:*:*:*","cpe:2.3:a:fluxcd:helm-controller:*:*:*:*:*:*:*:*"]}}],"versions":["v0.0.17","v0.0.18","v0.0.19","v0.0.20","v0.0.21","v0.0.22","v0.0.23","v0.0.24","v0.0.25","v0.0.26","v0.0.27","v0.0.28","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.10.0","v0.11.0","v0.12.0","v0.12.1","v0.12.2","v0.12.3","v0.13.0","v0.13.1","v0.13.2","v0.13.3","v0.13.4","v0.14.0","v0.14.1","v0.14.2","v0.15.0","v0.15.1","v0.15.2","v0.15.3","v0.16.0","v0.16.1","v0.16.2","v0.17.0","v0.17.1","v0.17.2","v0.18.0","v0.18.1","v0.18.2","v0.18.3","v0.19.0","v0.19.1","v0.2.0","v0.2.1","v0.2.2","v0.2.3","v0.2.4","v0.2.5","v0.2.6","v0.20.0","v0.20.1","v0.21.0","v0.21.1","v0.22.0","v0.22.1","v0.23.0","v0.24.0","v0.24.1","v0.25.0","v0.25.1","v0.25.2","v0.25.3","v0.26.0","v0.26.1","v0.26.2","v0.26.3","v0.27.0","v0.27.1","v0.27.2","v0.28.0","v0.28.1","v0.28.2","v0.28.3","v0.28.4","v0.28.5","v0.29.0","v0.29.1","v0.29.2","v0.29.3","v0.29.4","v0.29.5","v0.3.0","v0.30.0","v0.30.1","v0.30.2","v0.31.0","v0.31.1","v0.31.2","v0.31.3","v0.31.4","v0.31.5","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v0.5.6","v0.5.7","v0.5.8","v0.5.9","v0.6.0","v0.6.1","v0.6.2","v0.6.3","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.7.4","v0.7.5","v0.7.6","v0.7.7","v0.8.0","v0.8.1","v0.8.2","v0.9.0","v0.9.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36049.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/helm/helm","events":[{"introduced":"e29ce2a54e96cd02ccfce88bee4f58bb6e2a28b6"},{"fixed":"dbc6d8e20fe1d58d50e6ed30f09a04a77e4c68db"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"3.0.0"},{"fixed":"3.9.4"}],"cpe":"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36049.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"}]}