BIT-helm-2020-15184

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/helm/BIT-helm-2020-15184.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-helm-2020-15184
Aliases
Published
2024-03-06T10:55:17.666Z
Modified
2024-11-27T19:40:48.342Z
Summary
[none]
Details

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

Database specific
{
    "cpes": [
        "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*"
    ],
    "severity": "Low"
}
References

Affected packages

Bitnami / helm

Package

Name
helm
Purl
pkg:bitnami/helm

Severity

  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.16.11
Introduced
3.0.0
Fixed
3.3.2