GHSA-9vp5-m38w-j776

Suggest an improvement
Source
https://github.com/advisories/GHSA-9vp5-m38w-j776
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-9vp5-m38w-j776/GHSA-9vp5-m38w-j776.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9vp5-m38w-j776
Aliases
Published
2021-05-24T16:56:58Z
Modified
2023-12-06T01:00:15.784081Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Aliases are never checked in helm
Details

Impact

During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart.

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Specific Go Packages Affected

helm.sh/helm/v3/pkg/chartutil

Workarounds

Manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

Database specific
{
    "nvd_published_at": "2020-09-17T21:15:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-74"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T16:50:04Z"
}
References

Affected packages

Go / helm.sh/helm/v3

Package

Name
helm.sh/helm/v3
View open source insights on deps.dev
Purl
pkg:golang/helm.sh/helm/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.3.2

Go / helm.sh/helm

Package

Name
helm.sh/helm
View open source insights on deps.dev
Purl
pkg:golang/helm.sh/helm

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.11