During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the alias
field on a Chart.yaml
is not properly sanitized. This could lead to the injection of unwanted information into a chart.
This issue has been patched in Helm 3.3.2 and 2.16.11
helm.sh/helm/v3/pkg/chartutil
Manually review the dependencies
field of any untrusted chart, verifying that the alias
field is either not used, or (if used) does not contain newlines or path characters.
{ "nvd_published_at": "2020-09-17T21:15:00Z", "cwe_ids": [ "CWE-20", "CWE-74" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2021-05-24T16:50:04Z" }