The remote Fedora 37 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-c9b2182a4e advisory.

    Update helm to 3.11.1, resolving multiple security issues

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-4e2068ba5d advisory.

    Update helm to 3.11.1, resolving multiple security issues

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-6550d9323b advisory.

    Update helm to 3.11.1, resolving multiple security issues

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of helm installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-23524 advisory.

  - Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are     subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the
    _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from.
    Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service     attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can     validate strings supplied by users won't create large arrays causing significant memory usage before     passing them to the _strvals_ functions. (CVE-2022-23524)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:4606-1 advisory.

  - ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS     is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0,     there is a zip-slip vulnerability. The directory support feature allows the downloaded gzipped tarballs     to be automatically extracted to the user-specified directory where the tarball can have symbolic links     and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or     overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly     with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if     they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke     `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras`     CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package     users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other     content stores instead, or pull from a trusted artifact provider. (CVE-2021-21272)

  - Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
    (CVE-2022-1996)

  - Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are     subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the
    _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from.
    Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service     attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can     validate strings supplied by users won't create large arrays causing significant memory usage before     passing them to the _strvals_ functions. (CVE-2022-23524)

  - Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are     subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that     processes the index file of a repository. For example, the Helm client adds references to chart     repositories where charts are managed. The _repo_ package parses the index file of the repository and     loads it into structures Go can work with. Some index files can cause array data structures to be created     causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index     file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm     Client will panic with an index file that causes a memory violation panic. Helm is not a long running     service so the panic will not affect future uses of the Helm client. This issue has been patched in     3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_     functions. (CVE-2022-23525)

  - Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are     subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The
    _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm     client when rendering a chart will validate its values with the schema file. The _chartutil_ package     parses the schema file and loads it into structures Go can work with. Some schema files can cause array     data structures to be created causing a memory violation. Applications that use the _chartutil_ package in     the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that     cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of     the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are     correctly formatted before passing them to the _chartutil_ functions. (CVE-2022-23526)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-46c95e2c57 advisory.

    Automatic update for golang-helm-3-3.11.1-1.fc39.

    ##### **Changelog**

    ```
    * Tue Feb 21 2023 Davide Cavalca <dcavalca@fedoraproject.org> - 3.11.1-1
    - Update to 3.11.1; Fixes: RHBZ#1977738, RHBZ#2045644, RHBZ#2138841,       RHBZ#2142198, RHBZ#2142210, RHBZ#2097975, RHBZ#2155938, RHBZ#2155939,       RHBZ#2163231, RHBZ#1971091, RHBZ#1971029
    * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.4-8
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
    * Wed Aug 10 2022 Maxwell G <gotmax@e.email> - 3.5.4-7
    - Rebuild to fix FTBFS
    * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.4-6
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
    * Tue Jul 19 2022 Maxwell G <gotmax@e.email> - 3.5.4-5
    - Rebuild for CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in       golang
    * Sat Jul  9 2022 Maxwell G <gotmax@e.email> - 3.5.4-4
    - Rebuild for CVE-2022-{24675,28327,29526 in golang}
    * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.4-3
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

    ```

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
171802	Fedora 37 : golang-github-need-being-tree / golang-helm-3 / golang-oras / etc (2023-c9b2182a4e)	Nessus	Fedora Local Security Checks	2/22/2023	11/14/2024	critical
171807	Fedora 38 : golang-github-need-being-tree / golang-helm-3 / golang-oras / etc (2023-4e2068ba5d)	Nessus	Fedora Local Security Checks	2/22/2023	11/14/2024	critical
171806	Fedora 36 : golang-github-need-being-tree / golang-helm-3 / golang-oras / etc (2023-6550d9323b)	Nessus	Fedora Local Security Checks	2/22/2023	11/14/2024	critical
172842	CBL Mariner 2.0 Security Update: helm (CVE-2022-23524)	Nessus	MarinerOS Local Security Checks	3/20/2023	3/28/2023	high
169282	SUSE SLED15 / SLES15 Security Update : helm (SUSE-SU-2022:4606-1)	Nessus	SuSE Local Security Checks	12/23/2022	7/14/2023	critical
194633	Fedora 39 : golang-helm-3 (2023-46c95e2c57)	Nessus	Fedora Local Security Checks	4/29/2024	11/14/2024	critical

Detections

Analytics

Plugins Search

critical

critical

critical

high

critical

critical