GHSA-jm56-5h66-w453

Suggest an improvement
Source
https://github.com/advisories/GHSA-jm56-5h66-w453
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-jm56-5h66-w453/GHSA-jm56-5h66-w453.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jm56-5h66-w453
Aliases
Published
2021-05-24T16:57:06Z
Modified
2023-12-06T01:00:15.845588Z
Severity
  • 2.2 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Repository index file allows for duplicates of the same chart entry in helm
Details

Impact

During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository.

To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection).

Specific Go Packages Affected

helm.sh/helm/v3/pkg/repo

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Workarounds

  • do not install charts from repositories you do not trust
  • fetch charts using a secure channel of communication (such as TLS)
  • use helm pull to fetch the chart, then review the chart’s content (either manually, or with helm verify if it has been signed) to ensure it has not been tampered with
  • manually review the index file in the Helm repository cache before installing software.
Database specific
{
    "nvd_published_at": "2020-09-17T22:15:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-694",
        "CWE-74"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T16:47:58Z"
}
References

Affected packages

Go / helm.sh/helm/v3

Package

Name
helm.sh/helm/v3
View open source insights on deps.dev
Purl
pkg:golang/helm.sh/helm/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.3.2

Go / helm.sh/helm

Package

Name
helm.sh/helm
View open source insights on deps.dev
Purl
pkg:golang/helm.sh/helm

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.11