GHSA-m54r-vrmv-hw33

Suggest an improvement
Source
https://github.com/advisories/GHSA-m54r-vrmv-hw33
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-m54r-vrmv-hw33/GHSA-m54r-vrmv-hw33.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m54r-vrmv-hw33
Aliases
Published
2021-05-24T16:57:12Z
Modified
2023-12-06T01:00:15.907920Z
Severity
  • 3.4 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N CVSS Calculator
Summary
Improper Sanitizing of plugin names in helm
Details

Impact

Security researchers at Trail of Bits discovered that plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to helm --help.

Specific Go Packages Affected

helm.sh/helm/v3/pkg/plugin

Patches

This issue has been patched in Helm 3.3.2.

Workarounds

Do not install untrusted Helm plugins. Examine the name field in the plugin.yaml file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

Database specific
{
    "nvd_published_at": "2020-09-17T22:15:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-74"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T16:45:43Z"
}
References

Affected packages

Go / helm.sh/helm/v3

Package

Name
helm.sh/helm/v3
View open source insights on deps.dev
Purl
pkg:golang/helm.sh/helm/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.3.2

Go / helm.sh/helm

Package

Name
helm.sh/helm
View open source insights on deps.dev
Purl
pkg:golang/helm.sh/helm

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.11