Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-36055 (GCVE-0-2022-36055)
Vulnerability from cvelistv5
Published
2022-09-01 12:15
Modified
2025-04-23 17:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/helm/helm/releases/tag/v3.9.4 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/helm/helm/releases/tag/v3.9.4 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh | Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/helm/helm/releases/tag/v3.9.4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:01:38.428309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:32:44.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "helm",
"vendor": "helm",
"versions": [
{
"status": "affected",
"version": "\u003c 3.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-01T12:15:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/helm/helm/releases/tag/v3.9.4"
}
],
"source": {
"advisory": "GHSA-7hfp-qfw3-5jxh",
"discovery": "UNKNOWN"
},
"title": "Denial of service in Helm",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36055",
"STATE": "PUBLIC",
"TITLE": "Denial of service in Helm"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "helm",
"version": {
"version_data": [
{
"version_value": "\u003c 3.9.4"
}
]
}
}
]
},
"vendor_name": "helm"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
"refsource": "CONFIRM",
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"name": "https://github.com/helm/helm/releases/tag/v3.9.4",
"refsource": "MISC",
"url": "https://github.com/helm/helm/releases/tag/v3.9.4"
}
]
},
"source": {
"advisory": "GHSA-7hfp-qfw3-5jxh",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36055",
"datePublished": "2022-09-01T12:15:13.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:32:44.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-36055\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-09-01T13:15:08.930\",\"lastModified\":\"2024-11-21T07:12:16.797\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.\"},{\"lang\":\"es\",\"value\":\"Helm es una herramienta para administrar Charts. Los Charts son paquetes de recursos Kubernetes preconfigurados. Las pruebas Fuzz, proporcionadas por el CNCF, identificaron la entrada de funciones en el paquete _strvals_ que pueden causar un p\u00e1nico de memoria. El paquete _strvals_ contiene un analizador que convierte las cadenas en estructuras Go. El paquete _strvals_ convierte estas cadenas en estructuras con las que Go puede trabajar. Algunas entradas de cadenas pueden causar la creaci\u00f3n de estructuras de datos de array causando un p\u00e1nico de memoria. Las aplicaciones que usan el paquete _strvals_ en el SDK de Helm para analizar la entrada suministrada por el usuario pueden sufrir una Denegaci\u00f3n de Servicio cuando esa entrada causa un p\u00e1nico del que no puede recuperarse. El cliente de Helm entrar\u00e1 en p\u00e1nico con la entrada de \\\"--set\\\", \\\"--set-string\\\", y otros flags de configuraci\u00f3n de valores que causan un p\u00e1nico de memoria. Helm no es un servicio de larga duraci\u00f3n, por lo que el p\u00e1nico no afectar\u00e1 a futuros usos del cliente Helm. Este problema ha sido resuelto en versi\u00f3n 3.9.4. Los usuarios del SDK pueden comprender que las cadenas suministradas por los usuarios no crear\u00e1n matrices grandes que causen un uso significativo de la memoria antes de pasarlas a las funciones _strvals_\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.9.4\",\"matchCriteriaId\":\"CF12F100-CF74-44E7-9CA3-587E32370849\"}]}]}],\"references\":[{\"url\":\"https://github.com/helm/helm/releases/tag/v3.9.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/helm/helm/releases/tag/v3.9.4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/helm/helm/releases/tag/v3.9.4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T09:52:00.289Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-36055\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T14:01:38.428309Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T14:01:39.720Z\"}}], \"cna\": {\"title\": \"Denial of service in Helm\", \"source\": {\"advisory\": \"GHSA-7hfp-qfw3-5jxh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"helm\", \"product\": \"helm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.9.4\"}]}], \"references\": [{\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/helm/helm/releases/tag/v3.9.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-09-01T12:15:13.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, \"source\": {\"advisory\": \"GHSA-7hfp-qfw3-5jxh\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003c 3.9.4\"}]}, \"product_name\": \"helm\"}]}, \"vendor_name\": \"helm\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\", \"name\": \"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/helm/helm/releases/tag/v3.9.4\", \"name\": \"https://github.com/helm/helm/releases/tag/v3.9.4\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-400: Uncontrolled Resource Consumption\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-36055\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Denial of service in Helm\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-36055\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T17:32:44.520Z\", \"dateReserved\": \"2022-07-15T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-09-01T12:15:13.000Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
WID-SEC-W-2022-2339
Vulnerability from csaf_certbund
Published
2022-12-14 23:00
Modified
2023-04-18 22:00
Summary
IBM DB2: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-2339 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2339.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-2339 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2339"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6984413 vom 2023-04-18",
"url": "https://www.ibm.com/support/pages/node/6984413"
},
{
"category": "external",
"summary": "IBM Security Bulletin vom 2022-12-14",
"url": "https://www.ibm.com/support/pages/node/6843071"
}
],
"source_lang": "en-US",
"title": "IBM DB2: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-04-18T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:40:03.847+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2022-2339",
"initial_release_date": "2022-12-14T23:00:00.000+00:00",
"revision_history": [
{
"date": "2022-12-14T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-04-18T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM DB2",
"product": {
"name": "IBM DB2",
"product_id": "5104",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:-"
}
}
},
{
"category": "product_name",
"name": "IBM DB2 Cloud Pak for Data \u003c 4.6",
"product": {
"name": "IBM DB2 Cloud Pak for Data \u003c 4.6",
"product_id": "T025618",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:cloud_pak_for_data__4.6"
}
}
}
],
"category": "product_name",
"name": "DB2"
}
],
"category": "vendor",
"name": "IBM"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-1000023",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2016-1000023"
},
{
"cve": "CVE-2021-21303",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2021-21303"
},
{
"cve": "CVE-2021-32690",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2021-32690"
},
{
"cve": "CVE-2022-27664",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-27664"
},
{
"cve": "CVE-2022-28131",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-28131"
},
{
"cve": "CVE-2022-29526",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-29526"
},
{
"cve": "CVE-2022-30633",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-30633"
},
{
"cve": "CVE-2022-3172",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-3172"
},
{
"cve": "CVE-2022-36055",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-36055"
},
{
"cve": "CVE-2022-41296",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-41296"
},
{
"cve": "CVE-2022-41297",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-41297"
}
]
}
wid-sec-w-2023-0138
Vulnerability from csaf_certbund
Published
2023-01-17 23:00
Modified
2025-07-15 22:00
Summary
Oracle Communications Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0138 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0138.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0138 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0138"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - January 2023 - Appendix Oracle Communications Applications vom 2023-01-17",
"url": "https://www.oracle.com/security-alerts/cpujan2023.html#AppendixCAGBU"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-8432 vom 2025-06-04",
"url": "https://linux.oracle.com/errata/ELSA-2025-8432.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7239757 vom 2025-07-15",
"url": "https://www.ibm.com/support/pages/node/7239757"
}
],
"source_lang": "en-US",
"title": "Oracle Communications Applications: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-07-15T22:00:00.000+00:00",
"generator": {
"date": "2025-07-16T07:52:00.283+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2023-0138",
"initial_release_date": "2023-01-17T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-01-17T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-06-03T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-07-15T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM QRadar SIEM",
"product": {
"name": "IBM QRadar SIEM",
"product_id": "T021415",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:qradar_siem:-"
}
}
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "6.3.1",
"product": {
"name": "Oracle Communications Applications 6.3.1",
"product_id": "T018935",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:6.3.1"
}
}
},
{
"category": "product_version",
"name": "7.4.0",
"product": {
"name": "Oracle Communications Applications 7.4.0",
"product_id": "T018938",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:7.4.0"
}
}
},
{
"category": "product_version",
"name": "7.4.1",
"product": {
"name": "Oracle Communications Applications 7.4.1",
"product_id": "T018939",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:7.4.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=7.4.2",
"product": {
"name": "Oracle Communications Applications \u003c=7.4.2",
"product_id": "T018940"
}
},
{
"category": "product_version_range",
"name": "\u003c=7.4.2",
"product": {
"name": "Oracle Communications Applications \u003c=7.4.2",
"product_id": "T018940-fixed"
}
},
{
"category": "product_version",
"name": "8.0.0.6.0",
"product": {
"name": "Oracle Communications Applications 8.0.0.6.0",
"product_id": "T020662",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:8.0.0.6.0"
}
}
},
{
"category": "product_version",
"name": "7.5.0",
"product": {
"name": "Oracle Communications Applications 7.5.0",
"product_id": "T021639",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:7.5.0"
}
}
},
{
"category": "product_version",
"name": "10.0.1.6.0",
"product": {
"name": "Oracle Communications Applications 10.0.1.6.0",
"product_id": "T024967",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:10.0.1.6.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=12.0.0.7.0",
"product": {
"name": "Oracle Communications Applications \u003c=12.0.0.7.0",
"product_id": "T024968"
}
},
{
"category": "product_version_range",
"name": "\u003c=12.0.0.7.0",
"product": {
"name": "Oracle Communications Applications \u003c=12.0.0.7.0",
"product_id": "T024968-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=5.5.9",
"product": {
"name": "Oracle Communications Applications \u003c=5.5.9",
"product_id": "T025857"
}
},
{
"category": "product_version_range",
"name": "\u003c=5.5.9",
"product": {
"name": "Oracle Communications Applications \u003c=5.5.9",
"product_id": "T025857-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=6.0.1",
"product": {
"name": "Oracle Communications Applications \u003c=6.0.1",
"product_id": "T025858"
}
},
{
"category": "product_version_range",
"name": "\u003c=6.0.1",
"product": {
"name": "Oracle Communications Applications \u003c=6.0.1",
"product_id": "T025858-fixed"
}
},
{
"category": "product_version",
"name": "3.0.3.1.0",
"product": {
"name": "Oracle Communications Applications 3.0.3.1.0",
"product_id": "T025859",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:3.0.3.1.0"
}
}
},
{
"category": "product_version",
"name": "8.0.0.7.0",
"product": {
"name": "Oracle Communications Applications 8.0.0.7.0",
"product_id": "T025860",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:8.0.0.7.0"
}
}
},
{
"category": "product_version",
"name": "8.1.0.20.0",
"product": {
"name": "Oracle Communications Applications 8.1.0.20.0",
"product_id": "T025861",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:8.1.0.20.0"
}
}
}
],
"category": "product_name",
"name": "Communications Applications"
},
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-17571",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2019-17571"
},
{
"cve": "CVE-2020-16156",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2020-16156"
},
{
"cve": "CVE-2021-41411",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2021-41411"
},
{
"cve": "CVE-2021-43797",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2021-43797"
},
{
"cve": "CVE-2022-22971",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-22971"
},
{
"cve": "CVE-2022-22978",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-22978"
},
{
"cve": "CVE-2022-25647",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-25647"
},
{
"cve": "CVE-2022-25857",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-25857"
},
{
"cve": "CVE-2022-30126",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-30126"
},
{
"cve": "CVE-2022-31692",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-31692"
},
{
"cve": "CVE-2022-3171",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-3171"
},
{
"cve": "CVE-2022-32212",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-32212"
},
{
"cve": "CVE-2022-33980",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-33980"
},
{
"cve": "CVE-2022-34917",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-34917"
},
{
"cve": "CVE-2022-35737",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-35737"
},
{
"cve": "CVE-2022-36055",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-36055"
},
{
"cve": "CVE-2022-37454",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-37454"
},
{
"cve": "CVE-2022-38752",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-38752"
},
{
"cve": "CVE-2022-39271",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-39271"
},
{
"cve": "CVE-2022-40146",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-40146"
},
{
"cve": "CVE-2022-40150",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-40150"
},
{
"cve": "CVE-2022-41720",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-41720"
},
{
"cve": "CVE-2022-42003",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-42252",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-42252"
},
{
"cve": "CVE-2022-42889",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-42889"
},
{
"cve": "CVE-2023-21824",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21824"
},
{
"cve": "CVE-2023-21848",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21848"
}
]
}
WID-SEC-W-2023-0138
Vulnerability from csaf_certbund
Published
2023-01-17 23:00
Modified
2025-07-15 22:00
Summary
Oracle Communications Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0138 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0138.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0138 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0138"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - January 2023 - Appendix Oracle Communications Applications vom 2023-01-17",
"url": "https://www.oracle.com/security-alerts/cpujan2023.html#AppendixCAGBU"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-8432 vom 2025-06-04",
"url": "https://linux.oracle.com/errata/ELSA-2025-8432.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7239757 vom 2025-07-15",
"url": "https://www.ibm.com/support/pages/node/7239757"
}
],
"source_lang": "en-US",
"title": "Oracle Communications Applications: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-07-15T22:00:00.000+00:00",
"generator": {
"date": "2025-07-16T07:52:00.283+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2023-0138",
"initial_release_date": "2023-01-17T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-01-17T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-06-03T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-07-15T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM QRadar SIEM",
"product": {
"name": "IBM QRadar SIEM",
"product_id": "T021415",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:qradar_siem:-"
}
}
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "6.3.1",
"product": {
"name": "Oracle Communications Applications 6.3.1",
"product_id": "T018935",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:6.3.1"
}
}
},
{
"category": "product_version",
"name": "7.4.0",
"product": {
"name": "Oracle Communications Applications 7.4.0",
"product_id": "T018938",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:7.4.0"
}
}
},
{
"category": "product_version",
"name": "7.4.1",
"product": {
"name": "Oracle Communications Applications 7.4.1",
"product_id": "T018939",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:7.4.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=7.4.2",
"product": {
"name": "Oracle Communications Applications \u003c=7.4.2",
"product_id": "T018940"
}
},
{
"category": "product_version_range",
"name": "\u003c=7.4.2",
"product": {
"name": "Oracle Communications Applications \u003c=7.4.2",
"product_id": "T018940-fixed"
}
},
{
"category": "product_version",
"name": "8.0.0.6.0",
"product": {
"name": "Oracle Communications Applications 8.0.0.6.0",
"product_id": "T020662",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:8.0.0.6.0"
}
}
},
{
"category": "product_version",
"name": "7.5.0",
"product": {
"name": "Oracle Communications Applications 7.5.0",
"product_id": "T021639",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:7.5.0"
}
}
},
{
"category": "product_version",
"name": "10.0.1.6.0",
"product": {
"name": "Oracle Communications Applications 10.0.1.6.0",
"product_id": "T024967",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:10.0.1.6.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=12.0.0.7.0",
"product": {
"name": "Oracle Communications Applications \u003c=12.0.0.7.0",
"product_id": "T024968"
}
},
{
"category": "product_version_range",
"name": "\u003c=12.0.0.7.0",
"product": {
"name": "Oracle Communications Applications \u003c=12.0.0.7.0",
"product_id": "T024968-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=5.5.9",
"product": {
"name": "Oracle Communications Applications \u003c=5.5.9",
"product_id": "T025857"
}
},
{
"category": "product_version_range",
"name": "\u003c=5.5.9",
"product": {
"name": "Oracle Communications Applications \u003c=5.5.9",
"product_id": "T025857-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=6.0.1",
"product": {
"name": "Oracle Communications Applications \u003c=6.0.1",
"product_id": "T025858"
}
},
{
"category": "product_version_range",
"name": "\u003c=6.0.1",
"product": {
"name": "Oracle Communications Applications \u003c=6.0.1",
"product_id": "T025858-fixed"
}
},
{
"category": "product_version",
"name": "3.0.3.1.0",
"product": {
"name": "Oracle Communications Applications 3.0.3.1.0",
"product_id": "T025859",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:3.0.3.1.0"
}
}
},
{
"category": "product_version",
"name": "8.0.0.7.0",
"product": {
"name": "Oracle Communications Applications 8.0.0.7.0",
"product_id": "T025860",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:8.0.0.7.0"
}
}
},
{
"category": "product_version",
"name": "8.1.0.20.0",
"product": {
"name": "Oracle Communications Applications 8.1.0.20.0",
"product_id": "T025861",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications_applications:8.1.0.20.0"
}
}
}
],
"category": "product_name",
"name": "Communications Applications"
},
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-17571",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2019-17571"
},
{
"cve": "CVE-2020-16156",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2020-16156"
},
{
"cve": "CVE-2021-41411",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2021-41411"
},
{
"cve": "CVE-2021-43797",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2021-43797"
},
{
"cve": "CVE-2022-22971",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-22971"
},
{
"cve": "CVE-2022-22978",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-22978"
},
{
"cve": "CVE-2022-25647",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-25647"
},
{
"cve": "CVE-2022-25857",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-25857"
},
{
"cve": "CVE-2022-30126",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-30126"
},
{
"cve": "CVE-2022-31692",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-31692"
},
{
"cve": "CVE-2022-3171",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-3171"
},
{
"cve": "CVE-2022-32212",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-32212"
},
{
"cve": "CVE-2022-33980",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-33980"
},
{
"cve": "CVE-2022-34917",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-34917"
},
{
"cve": "CVE-2022-35737",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-35737"
},
{
"cve": "CVE-2022-36055",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-36055"
},
{
"cve": "CVE-2022-37454",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-37454"
},
{
"cve": "CVE-2022-38752",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-38752"
},
{
"cve": "CVE-2022-39271",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-39271"
},
{
"cve": "CVE-2022-40146",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-40146"
},
{
"cve": "CVE-2022-40150",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-40150"
},
{
"cve": "CVE-2022-41720",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-41720"
},
{
"cve": "CVE-2022-42003",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-42252",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-42252"
},
{
"cve": "CVE-2022-42889",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-42889"
},
{
"cve": "CVE-2023-21824",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21824"
},
{
"cve": "CVE-2023-21848",
"product_status": {
"known_affected": [
"T025859",
"T024967",
"T020662",
"T021415",
"T018935",
"T025861",
"T021639",
"T018938",
"T004914",
"T018939",
"T025860"
],
"last_affected": [
"T024968",
"T025858",
"T018940",
"T025857"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21848"
}
]
}
wid-sec-w-2022-2339
Vulnerability from csaf_certbund
Published
2022-12-14 23:00
Modified
2023-04-18 22:00
Summary
IBM DB2: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-2339 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2339.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-2339 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2339"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6984413 vom 2023-04-18",
"url": "https://www.ibm.com/support/pages/node/6984413"
},
{
"category": "external",
"summary": "IBM Security Bulletin vom 2022-12-14",
"url": "https://www.ibm.com/support/pages/node/6843071"
}
],
"source_lang": "en-US",
"title": "IBM DB2: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-04-18T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:40:03.847+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2022-2339",
"initial_release_date": "2022-12-14T23:00:00.000+00:00",
"revision_history": [
{
"date": "2022-12-14T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-04-18T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM DB2",
"product": {
"name": "IBM DB2",
"product_id": "5104",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:-"
}
}
},
{
"category": "product_name",
"name": "IBM DB2 Cloud Pak for Data \u003c 4.6",
"product": {
"name": "IBM DB2 Cloud Pak for Data \u003c 4.6",
"product_id": "T025618",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:cloud_pak_for_data__4.6"
}
}
}
],
"category": "product_name",
"name": "DB2"
}
],
"category": "vendor",
"name": "IBM"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-1000023",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2016-1000023"
},
{
"cve": "CVE-2021-21303",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2021-21303"
},
{
"cve": "CVE-2021-32690",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2021-32690"
},
{
"cve": "CVE-2022-27664",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-27664"
},
{
"cve": "CVE-2022-28131",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-28131"
},
{
"cve": "CVE-2022-29526",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-29526"
},
{
"cve": "CVE-2022-30633",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-30633"
},
{
"cve": "CVE-2022-3172",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-3172"
},
{
"cve": "CVE-2022-36055",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-36055"
},
{
"cve": "CVE-2022-41296",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-41296"
},
{
"cve": "CVE-2022-41297",
"notes": [
{
"category": "description",
"text": "Es existieren mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data and DB2 Warehouse on Cloud Pak for Data. Diese bestehen in den Komponenten Minimatch, Db2U, Helm, kube-apiserver und Golang Go. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verf\u00fcgbarkeit und Integrit\u00e4t zu gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist eine Interaktion des Opfers notwendig."
}
],
"product_status": {
"known_affected": [
"T025618",
"5104"
]
},
"release_date": "2022-12-14T23:00:00.000+00:00",
"title": "CVE-2022-41297"
}
]
}
opensuse-su-2024:12323-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
helm-3.9.4-2.1 on GA media
Notes
Title of the patch
helm-3.9.4-2.1 on GA media
Description of the patch
These are all security issues fixed in the helm-3.9.4-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-12323
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "helm-3.9.4-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the helm-3.9.4-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12323",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12323-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36055 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36055/"
}
],
"title": "helm-3.9.4-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12323-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.9.4-2.1.aarch64",
"product": {
"name": "helm-3.9.4-2.1.aarch64",
"product_id": "helm-3.9.4-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.9.4-2.1.aarch64",
"product": {
"name": "helm-bash-completion-3.9.4-2.1.aarch64",
"product_id": "helm-bash-completion-3.9.4-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.9.4-2.1.aarch64",
"product": {
"name": "helm-fish-completion-3.9.4-2.1.aarch64",
"product_id": "helm-fish-completion-3.9.4-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.9.4-2.1.aarch64",
"product": {
"name": "helm-zsh-completion-3.9.4-2.1.aarch64",
"product_id": "helm-zsh-completion-3.9.4-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.9.4-2.1.ppc64le",
"product": {
"name": "helm-3.9.4-2.1.ppc64le",
"product_id": "helm-3.9.4-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.9.4-2.1.ppc64le",
"product": {
"name": "helm-bash-completion-3.9.4-2.1.ppc64le",
"product_id": "helm-bash-completion-3.9.4-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.9.4-2.1.ppc64le",
"product": {
"name": "helm-fish-completion-3.9.4-2.1.ppc64le",
"product_id": "helm-fish-completion-3.9.4-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.9.4-2.1.ppc64le",
"product": {
"name": "helm-zsh-completion-3.9.4-2.1.ppc64le",
"product_id": "helm-zsh-completion-3.9.4-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.9.4-2.1.s390x",
"product": {
"name": "helm-3.9.4-2.1.s390x",
"product_id": "helm-3.9.4-2.1.s390x"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.9.4-2.1.s390x",
"product": {
"name": "helm-bash-completion-3.9.4-2.1.s390x",
"product_id": "helm-bash-completion-3.9.4-2.1.s390x"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.9.4-2.1.s390x",
"product": {
"name": "helm-fish-completion-3.9.4-2.1.s390x",
"product_id": "helm-fish-completion-3.9.4-2.1.s390x"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.9.4-2.1.s390x",
"product": {
"name": "helm-zsh-completion-3.9.4-2.1.s390x",
"product_id": "helm-zsh-completion-3.9.4-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.9.4-2.1.x86_64",
"product": {
"name": "helm-3.9.4-2.1.x86_64",
"product_id": "helm-3.9.4-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.9.4-2.1.x86_64",
"product": {
"name": "helm-bash-completion-3.9.4-2.1.x86_64",
"product_id": "helm-bash-completion-3.9.4-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.9.4-2.1.x86_64",
"product": {
"name": "helm-fish-completion-3.9.4-2.1.x86_64",
"product_id": "helm-fish-completion-3.9.4-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.9.4-2.1.x86_64",
"product": {
"name": "helm-zsh-completion-3.9.4-2.1.x86_64",
"product_id": "helm-zsh-completion-3.9.4-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.9.4-2.1.aarch64"
},
"product_reference": "helm-3.9.4-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.9.4-2.1.ppc64le"
},
"product_reference": "helm-3.9.4-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.9.4-2.1.s390x"
},
"product_reference": "helm-3.9.4-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.9.4-2.1.x86_64"
},
"product_reference": "helm-3.9.4-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.9.4-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.aarch64"
},
"product_reference": "helm-bash-completion-3.9.4-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.9.4-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.ppc64le"
},
"product_reference": "helm-bash-completion-3.9.4-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.9.4-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.s390x"
},
"product_reference": "helm-bash-completion-3.9.4-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.9.4-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.x86_64"
},
"product_reference": "helm-bash-completion-3.9.4-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.9.4-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.aarch64"
},
"product_reference": "helm-fish-completion-3.9.4-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.9.4-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.ppc64le"
},
"product_reference": "helm-fish-completion-3.9.4-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.9.4-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.s390x"
},
"product_reference": "helm-fish-completion-3.9.4-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.9.4-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.x86_64"
},
"product_reference": "helm-fish-completion-3.9.4-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.9.4-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.aarch64"
},
"product_reference": "helm-zsh-completion-3.9.4-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.9.4-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.ppc64le"
},
"product_reference": "helm-zsh-completion-3.9.4-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.9.4-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.s390x"
},
"product_reference": "helm-zsh-completion-3.9.4-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.9.4-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.x86_64"
},
"product_reference": "helm-zsh-completion-3.9.4-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-36055",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36055"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-3.9.4-2.1.x86_64",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.x86_64",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.x86_64",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36055",
"url": "https://www.suse.com/security/cve/CVE-2022-36055"
},
{
"category": "external",
"summary": "SUSE Bug 1203054 for CVE-2022-36055",
"url": "https://bugzilla.suse.com/1203054"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-3.9.4-2.1.x86_64",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.x86_64",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.x86_64",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-3.9.4-2.1.x86_64",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-bash-completion-3.9.4-2.1.x86_64",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-fish-completion-3.9.4-2.1.x86_64",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.aarch64",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.ppc64le",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.s390x",
"openSUSE Tumbleweed:helm-zsh-completion-3.9.4-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-36055"
}
]
}
gsd-2022-36055
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-36055",
"description": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.",
"id": "GSD-2022-36055",
"references": [
"https://www.suse.com/security/cve/CVE-2022-36055.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-36055"
],
"details": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.",
"id": "GSD-2022-36055",
"modified": "2023-12-13T01:19:21.881614Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36055",
"STATE": "PUBLIC",
"TITLE": "Denial of service in Helm"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "helm",
"version": {
"version_data": [
{
"version_value": "\u003c 3.9.4"
}
]
}
}
]
},
"vendor_name": "helm"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
"refsource": "CONFIRM",
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"name": "https://github.com/helm/helm/releases/tag/v3.9.4",
"refsource": "MISC",
"url": "https://github.com/helm/helm/releases/tag/v3.9.4"
}
]
},
"source": {
"advisory": "GHSA-7hfp-qfw3-5jxh",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv3.9.4",
"affected_versions": "All versions before 3.9.4",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-08-30",
"description": "Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. Out of memory panics cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.\n\n### Impact\n\nThe _strvals_ package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like `--set`, `--set-string`, and others that enable the user to pass in strings that are merged into the values. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic.\n\nApplications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from.\n\nThe Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.\n\n### Patches\n\nThis issue has been resolved in 3.9.4. \n\n### Workarounds\n\nSDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.\n\n### For more information\n\nHelm\u0027s security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document.\n\n### Credits\n\nDisclosed by Ada Logics in a fuzzing audit sponsored by CNCF.",
"fixed_versions": [
"v3.9.4"
],
"identifier": "GMS-2022-3755",
"identifiers": [
"GHSA-7hfp-qfw3-5jxh",
"GMS-2022-3755",
"CVE-2022-36055"
],
"not_impacted": "All versions starting from 3.9.4",
"package_slug": "go/helm.sh/helm/v3",
"pubdate": "2022-08-30",
"solution": "Upgrade to version 3.9.4 or above.",
"title": "Denial of service through string value parsing",
"urls": [
"https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
"https://github.com/advisories/GHSA-7hfp-qfw3-5jxh"
],
"uuid": "55d3fbd5-8477-4933-9bc7-a8a08dfd4f5e",
"versions": []
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.9.4",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36055"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/helm/helm/releases/tag/v3.9.4",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/helm/helm/releases/tag/v3.9.4"
},
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-07-21T20:52Z",
"publishedDate": "2022-09-01T13:15Z"
}
}
}
suse-su-2022:3666-1
Vulnerability from csaf_suse
Published
2022-10-19 18:45
Modified
2022-10-19 18:45
Summary
Security update for helm
Notes
Title of the patch
Security update for helm
Description of the patch
This update for helm fixes the following issues:
helm was updated to version 3.9.4:
* CVE-2022-36055: Fixed denial of service through string value parsing (bsc#1203054).
* Updating the certificates used for testing
* Updating index handling
helm was updated to version 3.9.3:
- CVE-2022-1996: Updated kube-openapi to fix an issue that could result in a CORS protection bypass (bsc#1200528).
* Fix missing array length check on release
helm was updated to version 3.9.2:
* Update of the circleci image
helm was updated to version 3.9.1:
* Update to support Kubernetes 1.24.2
* Improve logging and safety of statefulSetReady
* Make token caching an opt-in feature
* Bump github.com/lib/pq from 1.10.5 to 1.10.6
* Bump github.com/Masterminds/squirrel from 1.5.2 to 1.5.3
helm was updated to version 3.9.0:
* Added a --quiet flag to helm lint
* Added a --post-renderer-args flag to support arguments being passed to the post renderer
* Added more checks during the signing process
* Updated to add Kubernetes 1.24 support
helm was updated to version 3.8.2:
* Bump oras.land/oras-go from 1.1.0 to 1.1.1
* Fixing downloader plugin error handling
* Simplify testdata charts
* Simplify testdata charts
* Add tests for multi-level dependencies.
* Fix value precedence
* Bumping Kubernetes package versions
* Updating vcs to latest version
* Dont modify provided transport
* Pass http getter as pointer in tests
* Add docs block
* Add transport option and tests
* Reuse http transport
* Updating Kubernetes libs to 0.23.4 (latest)
* fix: remove deadcode
* fix: helm package tests
* fix: helm package with dependency update for charts with OCI dependencies
* Fix typo Unset the env var before func return in Unit Test
* add legal name check
* maint: fix syntax error in deploy.sh
* linting issue fixed
* only apply overwrite if version is canary
* overwrite flag added to az storage blob upload-batch
* Avoid querying for OCI tags can explicit version provided in chart dependencies
* Management of bearer tokens for tag listing
* Updating Kubernetes packages to 1.23.3
* refactor: use `os.ReadDir` for lightweight directory reading
* Add IngressClass to manifests to be (un)installed
* feat(comp): Shell completion for OCI
* Fix install memory/goroutine leak
Patchnames
SUSE-2022-3666,SUSE-SLE-Module-Containers-15-SP3-2022-3666,SUSE-SLE-Module-Containers-15-SP4-2022-3666,SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-3666,SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3666,openSUSE-SLE-15.3-2022-3666,openSUSE-SLE-15.4-2022-3666
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for helm",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for helm fixes the following issues:\n\nhelm was updated to version 3.9.4:\n\n* CVE-2022-36055: Fixed denial of service through string value parsing (bsc#1203054).\n* Updating the certificates used for testing\n* Updating index handling\n\nhelm was updated to version 3.9.3:\n\n- CVE-2022-1996: Updated kube-openapi to fix an issue that could result in a CORS protection bypass (bsc#1200528).\n* Fix missing array length check on release\n\nhelm was updated to version 3.9.2:\n\n* Update of the circleci image\n\nhelm was updated to version 3.9.1:\n\n* Update to support Kubernetes 1.24.2\n* Improve logging and safety of statefulSetReady\n* Make token caching an opt-in feature\n* Bump github.com/lib/pq from 1.10.5 to 1.10.6\n* Bump github.com/Masterminds/squirrel from 1.5.2 to 1.5.3\n\nhelm was updated to version 3.9.0:\n\n* Added a --quiet flag to helm lint\n* Added a --post-renderer-args flag to support arguments being passed to the post renderer\n* Added more checks during the signing process\n* Updated to add Kubernetes 1.24 support\n\nhelm was updated to version 3.8.2:\n\n* Bump oras.land/oras-go from 1.1.0 to 1.1.1\n* Fixing downloader plugin error handling\n* Simplify testdata charts\n* Simplify testdata charts\n* Add tests for multi-level dependencies.\n* Fix value precedence\n* Bumping Kubernetes package versions\n* Updating vcs to latest version\n* Dont modify provided transport\n* Pass http getter as pointer in tests\n* Add docs block\n* Add transport option and tests\n* Reuse http transport\n* Updating Kubernetes libs to 0.23.4 (latest)\n* fix: remove deadcode\n* fix: helm package tests\n* fix: helm package with dependency update for charts with OCI dependencies\n* Fix typo Unset the env var before func return in Unit Test\n* add legal name check\n* maint: fix syntax error in deploy.sh\n* linting issue fixed\n* only apply overwrite if version is canary\n* overwrite flag added to az storage blob upload-batch\n* Avoid querying for OCI tags can explicit version provided in chart dependencies\n* Management of bearer tokens for tag listing\n* Updating Kubernetes packages to 1.23.3\n* refactor: use `os.ReadDir` for lightweight directory reading\n* Add IngressClass to manifests to be (un)installed\n* feat(comp): Shell completion for OCI\n* Fix install memory/goroutine leak\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2022-3666,SUSE-SLE-Module-Containers-15-SP3-2022-3666,SUSE-SLE-Module-Containers-15-SP4-2022-3666,SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-3666,SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-3666,openSUSE-SLE-15.3-2022-3666,openSUSE-SLE-15.4-2022-3666",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3666-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:3666-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-20223666-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:3666-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2022-October/025643.html"
},
{
"category": "self",
"summary": "SUSE Bug 1200528",
"url": "https://bugzilla.suse.com/1200528"
},
{
"category": "self",
"summary": "SUSE Bug 1203054",
"url": "https://bugzilla.suse.com/1203054"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-1996 page",
"url": "https://www.suse.com/security/cve/CVE-2022-1996/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36055 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36055/"
}
],
"title": "Security update for helm",
"tracking": {
"current_release_date": "2022-10-19T18:45:15Z",
"generator": {
"date": "2022-10-19T18:45:15Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:3666-1",
"initial_release_date": "2022-10-19T18:45:15Z",
"revision_history": [
{
"date": "2022-10-19T18:45:15Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.9.4-150000.1.10.3.aarch64",
"product": {
"name": "helm-3.9.4-150000.1.10.3.aarch64",
"product_id": "helm-3.9.4-150000.1.10.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.9.4-150000.1.10.3.i586",
"product": {
"name": "helm-3.9.4-150000.1.10.3.i586",
"product_id": "helm-3.9.4-150000.1.10.3.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"product": {
"name": "helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"product_id": "helm-bash-completion-3.9.4-150000.1.10.3.noarch"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"product": {
"name": "helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"product_id": "helm-fish-completion-3.9.4-150000.1.10.3.noarch"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"product": {
"name": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"product_id": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.9.4-150000.1.10.3.ppc64le",
"product": {
"name": "helm-3.9.4-150000.1.10.3.ppc64le",
"product_id": "helm-3.9.4-150000.1.10.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.9.4-150000.1.10.3.s390x",
"product": {
"name": "helm-3.9.4-150000.1.10.3.s390x",
"product_id": "helm-3.9.4-150000.1.10.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.9.4-150000.1.10.3.x86_64",
"product": {
"name": "helm-3.9.4-150000.1.10.3.x86_64",
"product_id": "helm-3.9.4-150000.1.10.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Containers 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Module for Containers 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-containers:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Containers 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-containers:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:15:sp4"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.aarch64"
},
"product_reference": "helm-3.9.4-150000.1.10.3.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.ppc64le as component of SUSE Linux Enterprise Module for Containers 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.ppc64le"
},
"product_reference": "helm-3.9.4-150000.1.10.3.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.s390x as component of SUSE Linux Enterprise Module for Containers 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.s390x"
},
"product_reference": "helm-3.9.4-150000.1.10.3.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.x86_64"
},
"product_reference": "helm-3.9.4-150000.1.10.3.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.9.4-150000.1.10.3.noarch as component of SUSE Linux Enterprise Module for Containers 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP3:helm-bash-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch as component of SUSE Linux Enterprise Module for Containers 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.aarch64"
},
"product_reference": "helm-3.9.4-150000.1.10.3.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.ppc64le as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.ppc64le"
},
"product_reference": "helm-3.9.4-150000.1.10.3.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.s390x as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.s390x"
},
"product_reference": "helm-3.9.4-150000.1.10.3.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.x86_64"
},
"product_reference": "helm-3.9.4-150000.1.10.3.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.9.4-150000.1.10.3.noarch as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:helm-bash-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch as component of SUSE Linux Enterprise Module for Containers 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.9.4-150000.1.10.3.noarch as component of SUSE Linux Enterprise Module for Package Hub 15 SP3",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP3:helm-fish-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.9.4-150000.1.10.3.noarch as component of SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP4:helm-fish-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.aarch64"
},
"product_reference": "helm-3.9.4-150000.1.10.3.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.ppc64le"
},
"product_reference": "helm-3.9.4-150000.1.10.3.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.s390x"
},
"product_reference": "helm-3.9.4-150000.1.10.3.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.x86_64"
},
"product_reference": "helm-3.9.4-150000.1.10.3.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.9.4-150000.1.10.3.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:helm-bash-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.9.4-150000.1.10.3.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:helm-fish-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.aarch64"
},
"product_reference": "helm-3.9.4-150000.1.10.3.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.ppc64le"
},
"product_reference": "helm-3.9.4-150000.1.10.3.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.s390x"
},
"product_reference": "helm-3.9.4-150000.1.10.3.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.9.4-150000.1.10.3.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.x86_64"
},
"product_reference": "helm-3.9.4-150000.1.10.3.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.9.4-150000.1.10.3.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:helm-bash-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.9.4-150000.1.10.3.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:helm-fish-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
},
"product_reference": "helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1996",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-1996"
}
],
"notes": [
{
"category": "general",
"text": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-1996",
"url": "https://www.suse.com/security/cve/CVE-2022-1996"
},
{
"category": "external",
"summary": "SUSE Bug 1200528 for CVE-2022-1996",
"url": "https://bugzilla.suse.com/1200528"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-10-19T18:45:15Z",
"details": "critical"
}
],
"title": "CVE-2022-1996"
},
{
"cve": "CVE-2022-36055",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36055"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36055",
"url": "https://www.suse.com/security/cve/CVE-2022-36055"
},
{
"category": "external",
"summary": "SUSE Bug 1203054 for CVE-2022-36055",
"url": "https://bugzilla.suse.com/1203054"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.ppc64le",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.s390x",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-3.9.4-150000.1.10.3.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Containers 15 SP4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.3:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.3:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.3:helm-zsh-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.aarch64",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.ppc64le",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.s390x",
"openSUSE Leap 15.4:helm-3.9.4-150000.1.10.3.x86_64",
"openSUSE Leap 15.4:helm-bash-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-fish-completion-3.9.4-150000.1.10.3.noarch",
"openSUSE Leap 15.4:helm-zsh-completion-3.9.4-150000.1.10.3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-10-19T18:45:15Z",
"details": "important"
}
],
"title": "CVE-2022-36055"
}
]
}
ghsa-7hfp-qfw3-5jxh
Vulnerability from github
Published
2022-08-30 20:52
Modified
2023-08-30 18:43
Severity ?
VLAI Severity ?
Summary
Helm Vulnerable to denial of service through string value parsing
Details
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. Out of memory panics cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.
Impact
The _strvals_ package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like --set, --set-string, and others that enable the user to pass in strings that are merged into the values. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic.
Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from.
The Helm Client will panic with input to --set, --set-string, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.
Patches
This issue has been resolved in 3.9.4.
Workarounds
SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.
For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "helm.sh/helm/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36055"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-30T20:52:31Z",
"nvd_published_at": "2022-09-01T13:15:00Z",
"severity": "MODERATE"
},
"details": "Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the `_strvals_` package that can cause an out of memory panic. Out of memory panics cannot be recovered from. Applications that use functions from the `_strvals_` package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.\n\n### Impact\n\nThe `_strvals_` package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like `--set`, `--set-string`, and others that enable the user to pass in strings that are merged into the values. The `_strvals_` package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic.\n\nApplications that use the `_strvals_` package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from.\n\nThe Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.\n\n### Patches\n\nThis issue has been resolved in 3.9.4. \n\n### Workarounds\n\nSDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the `_strvals_` functions.\n\n### For more information\n\nHelm\u0027s security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document.\n\n### Credits\n\nDisclosed by Ada Logics in a fuzzing audit sponsored by CNCF.",
"id": "GHSA-7hfp-qfw3-5jxh",
"modified": "2023-08-30T18:43:09Z",
"published": "2022-08-30T20:52:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36055"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/commit/10466e3e179cc8cad4b0bb451108d3c442c69fbc"
},
{
"type": "PACKAGE",
"url": "https://github.com/helm/helm"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/releases/tag/v3.9.4"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0962"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Helm Vulnerable to denial of service through string value parsing"
}
fkie_cve-2022-36055
Vulnerability from fkie_nvd
Published
2022-09-01 13:15
Modified
2024-11-21 07:12
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/helm/helm/releases/tag/v3.9.4 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/helm/helm/releases/tag/v3.9.4 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF12F100-CF74-44E7-9CA3-587E32370849",
"versionEndExcluding": "3.9.4",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won\u0027t create large arrays causing significant memory usage before passing them to the _strvals_ functions."
},
{
"lang": "es",
"value": "Helm es una herramienta para administrar Charts. Los Charts son paquetes de recursos Kubernetes preconfigurados. Las pruebas Fuzz, proporcionadas por el CNCF, identificaron la entrada de funciones en el paquete _strvals_ que pueden causar un p\u00e1nico de memoria. El paquete _strvals_ contiene un analizador que convierte las cadenas en estructuras Go. El paquete _strvals_ convierte estas cadenas en estructuras con las que Go puede trabajar. Algunas entradas de cadenas pueden causar la creaci\u00f3n de estructuras de datos de array causando un p\u00e1nico de memoria. Las aplicaciones que usan el paquete _strvals_ en el SDK de Helm para analizar la entrada suministrada por el usuario pueden sufrir una Denegaci\u00f3n de Servicio cuando esa entrada causa un p\u00e1nico del que no puede recuperarse. El cliente de Helm entrar\u00e1 en p\u00e1nico con la entrada de \"--set\", \"--set-string\", y otros flags de configuraci\u00f3n de valores que causan un p\u00e1nico de memoria. Helm no es un servicio de larga duraci\u00f3n, por lo que el p\u00e1nico no afectar\u00e1 a futuros usos del cliente Helm. Este problema ha sido resuelto en versi\u00f3n 3.9.4. Los usuarios del SDK pueden comprender que las cadenas suministradas por los usuarios no crear\u00e1n matrices grandes que causen un uso significativo de la memoria antes de pasarlas a las funciones _strvals_"
}
],
"id": "CVE-2022-36055",
"lastModified": "2024-11-21T07:12:16.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-01T13:15:08.930",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/helm/helm/releases/tag/v3.9.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/helm/helm/releases/tag/v3.9.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cnvd-2022-62221
Vulnerability from cnvd
Title: Helm资源管理错误漏洞
Description:
Helm是一款Kubernetes包管理器。
Helm 3.9.3版本及之前版本存在资源管理错误漏洞,该漏洞源于 CNCF 提供的模糊测试识别了 strvals 包中可能导致内存不足恐慌的函数的输入。目前没有详细的漏洞细节提供。
Severity: 中
Patch Name: Helm资源管理错误漏洞的补丁
Patch Description:
Helm是一款Kubernetes包管理器。
Helm 3.9.3版本及之前版本存在资源管理错误漏洞,该漏洞源于 CNCF 提供的模糊测试识别了 strvals 包中可能导致内存不足恐慌的函数的输入。目前没有详细的漏洞细节提供。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description:
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh
Reference: https://cxsecurity.com/cveshow/CVE-2022-36055/
Impacted products
| Name | helm helm |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-36055"
}
},
"description": "Helm\u662f\u4e00\u6b3eKubernetes\u5305\u7ba1\u7406\u5668\u3002\n\nHelm 3.9.3\u7248\u672c\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e CNCF \u63d0\u4f9b\u7684\u6a21\u7cca\u6d4b\u8bd5\u8bc6\u522b\u4e86 _strvals_ \u5305\u4e2d\u53ef\u80fd\u5bfc\u81f4\u5185\u5b58\u4e0d\u8db3\u6050\u614c\u7684\u51fd\u6570\u7684\u8f93\u5165\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-62221",
"openTime": "2022-09-08",
"patchDescription": "Helm\u662f\u4e00\u6b3eKubernetes\u5305\u7ba1\u7406\u5668\u3002\r\n\r\nHelm 3.9.3\u7248\u672c\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e CNCF \u63d0\u4f9b\u7684\u6a21\u7cca\u6d4b\u8bd5\u8bc6\u522b\u4e86 _strvals_ \u5305\u4e2d\u53ef\u80fd\u5bfc\u81f4\u5185\u5b58\u4e0d\u8db3\u6050\u614c\u7684\u51fd\u6570\u7684\u8f93\u5165\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Helm\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "helm helm"
},
"referenceLink": "https://cxsecurity.com/cveshow/CVE-2022-36055/",
"serverity": "\u4e2d",
"submitTime": "2022-09-05",
"title": "Helm\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…