Flux2 Helm Controller denial of service

Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

未加控制的资源消耗(资源穷尽)

Flux2 资源管理错误漏洞

Flux2是云原生计算基金会（Cloud Native Computing Foundation）的一种使 Kubernetes 集群与配置源保持同步的工具。 Flux2 v0.0.17至v0.32.0之前版本和helm-controller v0.0.4至v0.23.0之前版本存在资源管理错误漏洞，该漏洞源于允许特定数据输入导致高内存消耗，这可能会导致控制器恐慌并停止处理对账。在共享集群多租户环境中，租户可以创建一个HelmRelease使控制器恐慌，拒绝协调所有其他租户的Helm版本。

N/A

N/A