SCA: security update for helm.sh/helm/v3 (GHSA-7hfp-qfw3-5jxh)

medium Tenable Self-Hosted Container Security Plugin ID 412084

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz
testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an
out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The
_strvals_ package converts these strings into structures Go can work with. Some string inputs can cause
array data structures to be created causing an out of memory panic. Applications that use the _strvals_
package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes
a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`,
and other value setting flags that causes an out of memory panic. Helm is not a long running service so
the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users
can validate strings supplied by users won't create large arrays causing significant memory usage before
passing them to the _strvals_ functions. (CVE-2022-36055)

See Also

https://github.com/advisories/GHSA-7hfp-qfw3-5jxh

Plugin Details

Severity: Medium

ID: 412084

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2022-36055

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/30/2022

Vulnerability Publication Date: 8/30/2022

Reference Information

CVE: CVE-2022-36055