GO-2022-1040

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-1040

Import Source

https://vuln.go.dev/ID/GO-2022-1040.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-1040

Aliases

Published

2022-10-18T15:14:31Z

Modified

2024-05-20T16:03:47Z

Summary

Insufficient sanitization of data files in helm.sh/helm/v3

Details

Helm does not sanitize all fields read from repository data files. A maliciously crafted data file may contain strings containing arbitrary data. If printed to a terminal, a malicious string could obscure or alter data on the screen.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2022-1040",
    "review_status": "REVIEWED"
}

References

Affected packages

Go / helm.sh/helm/v3

Package

Name: helm.sh/helm/v3; View open source insights on deps.dev
Purl: pkg:golang/helm.sh/helm/v3

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.5.2

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "Chart.Validate",
                "Metadata.Validate"
            ],
            "path": "helm.sh/helm/v3/pkg/chart"
        },
        {
            "symbols": [
                "FindPlugins",
                "LoadAll",
                "LoadDir",
                "validatePluginData"
            ],
            "path": "helm.sh/helm/v3/pkg/plugin"
        },
        {
            "symbols": [
                "ChartRepository.DownloadIndexFile",
                "ChartRepository.Index",
                "ChartRepository.Load",
                "FindChartInAuthAndTLSRepoURL",
                "FindChartInAuthRepoURL",
                "FindChartInRepoURL",
                "IndexDirectory",
                "IndexFile.Add",
                "LoadIndexFile",
                "loadIndex"
            ],
            "path": "helm.sh/helm/v3/pkg/repo"
        }
    ]
}