GHSA-9vp5-m38w-j776

Source

https://github.com/advisories/GHSA-9vp5-m38w-j776

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-9vp5-m38w-j776/GHSA-9vp5-m38w-j776.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9vp5-m38w-j776

Aliases

Published

2021-05-24T16:56:58Z

Modified

2023-12-06T01:00:15.784081Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Aliases are never checked in helm

Details

Impact

During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart.

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Specific Go Packages Affected

helm.sh/helm/v3/pkg/chartutil

Workarounds

Manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

References

Affected packages

Go / helm.sh/helm/v3

Package

Name: helm.sh/helm/v3; View open source insights on deps.dev
Purl: pkg:golang/helm.sh/helm/v3

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.3.2

Go / helm.sh/helm

Package

Name: helm.sh/helm; View open source insights on deps.dev
Purl: pkg:golang/helm.sh/helm

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.16.11