MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl2cDUtbTM4dy1qNzc2

Low EPSS: 0.00234% (0.4615 Percentile) EPSS:

Permalink JSON

Aliases are never checked in helm

Affected Packages	Affected Versions	Fixed Versions
go:helm.sh/helm PURL: `pkg:go/helm.sh%2Fhelm`	< 2.16.11	2.16.11
46 Dependent packages 48 Dependent repositories Affected Version Ranges All affected versions v1.2.1, v2.0.0+incompatible, v2.0.0-alpha.1+incompatible, v2.0.0-alpha.2+incompatible, v2.0.0-alpha.3+incompatible, v2.0.0-alpha.4+incompatible, v2.0.0-alpha.5+incompatible, v2.0.0-beta.1+incompatible, v2.0.0-beta.2+incompatible, v2.0.0-rc.1+incompatible, v2.0.0-rc.2+incompatible, v2.0.1+incompatible, v2.0.2+incompatible, v2.1.0+incompatible, v2.1.1+incompatible, v2.1.2+incompatible, v2.1.3+incompatible, v2.2.0+incompatible, v2.2.1+incompatible, v2.2.2+incompatible, v2.2.3+incompatible, v2.3.0+incompatible, v2.3.1+incompatible, v2.4.0+incompatible, v2.4.1+incompatible, v2.4.2+incompatible, v2.5.0+incompatible, v2.5.1+incompatible, v2.6.0+incompatible, v2.6.1+incompatible, v2.6.2+incompatible, v2.7.0+incompatible, v2.7.0-rc1+incompatible, v2.7.1+incompatible, v2.7.2+incompatible, v2.8.0+incompatible, v2.8.0-rc.1+incompatible, v2.8.1+incompatible, v2.8.2+incompatible, v2.8.2-rc1+incompatible, v2.9.0+incompatible, v2.9.0-rc1+incompatible, v2.9.0-rc2+incompatible, v2.9.0-rc3+incompatible, v2.9.0-rc4+incompatible, v2.9.0-rc5+incompatible, v2.9.1+incompatible, v2.10.0+incompatible, v2.10.0-rc.1+incompatible, v2.10.0-rc.2+incompatible, v2.10.0-rc.3+incompatible, v2.11.0+incompatible, v2.11.0-rc.1+incompatible, v2.11.0-rc.2+incompatible, v2.11.0-rc.3+incompatible, v2.11.0-rc.4+incompatible, v2.12.0+incompatible, v2.12.0-rc.1+incompatible, v2.12.0-rc.2+incompatible, v2.12.1+incompatible, v2.12.2+incompatible, v2.12.3+incompatible, v2.13.0+incompatible, v2.13.0-rc.1+incompatible, v2.13.0-rc.2+incompatible, v2.13.1+incompatible, v2.13.1-rc.1+incompatible, v2.14.0+incompatible, v2.14.0-rc.1+incompatible, v2.14.0-rc.2+incompatible, v2.14.1+incompatible, v2.14.2+incompatible, v2.14.3+incompatible, v2.15.0+incompatible, v2.15.0-rc.1+incompatible, v2.15.0-rc.2+incompatible, v2.15.1+incompatible, v2.15.2+incompatible, v2.16.0+incompatible, v2.16.0-rc.1+incompatible, v2.16.0-rc.2+incompatible, v2.16.1+incompatible, v2.16.2+incompatible, v2.16.3+incompatible, v2.16.4+incompatible, v2.16.5+incompatible, v2.16.6+incompatible, v2.16.7+incompatible, v2.16.8+incompatible, v2.16.9+incompatible, v2.16.10+incompatible All unaffected versions v2.16.11+incompatible, v2.16.12+incompatible, v2.17.0+incompatible
go:helm.sh/helm/v3 PURL: `pkg:go/helm.sh%2Fhelm%2Fv3`	>= 3.0.0, < 3.3.2	3.3.2
1,580 Dependent packages 5,000 Dependent repositories Affected Version Ranges All affected versions v3.0.0, v3.0.0-alpha.1, v3.0.0-alpha.2, v3.0.0-beta.1, v3.0.0-beta.2, v3.0.0-beta.3, v3.0.0-beta.4, v3.0.0-beta.5, v3.0.0-rc.1, v3.0.0-rc.2, v3.0.0-rc.3, v3.0.0-rc.4, v3.0.1, v3.0.2, v3.0.3, v3.1.0, v3.1.0-rc.1, v3.1.0-rc.2, v3.1.0-rc.3, v3.1.1, v3.1.2, v3.1.3, v3.2.0, v3.2.0-rc.1, v3.2.1, v3.2.2, v3.2.3, v3.2.4, v3.3.0, v3.3.0-rc.1, v3.3.0-rc.2, v3.3.1 All unaffected versions v3.3.2, v3.3.3, v3.3.4, v3.4.0, v3.4.1, v3.4.2, v3.5.0, v3.5.1, v3.5.2, v3.5.3, v3.5.4, v3.6.0, v3.6.1, v3.6.2, v3.6.3, v3.7.0, v3.7.1, v3.7.2, v3.8.0, v3.8.1, v3.8.2, v3.9.0, v3.9.1, v3.9.2, v3.9.3, v3.9.4, v3.10.0, v3.10.1, v3.10.2, v3.10.3, v3.11.0, v3.11.1, v3.11.2, v3.11.3, v3.12.0, v3.12.1, v3.12.2, v3.12.3, v3.13.0, v3.13.1, v3.13.2, v3.13.3, v3.14.0, v3.14.1, v3.14.2, v3.14.3, v3.14.4, v3.15.0, v3.15.1, v3.15.2, v3.15.3, v3.15.4, v3.16.0, v3.16.1, v3.16.2, v3.16.3, v3.16.4, v3.17.0, v3.17.1, v3.17.2, v3.17.3, v3.17.4, v3.18.0, v3.18.1, v3.18.2, v3.18.3, v3.18.4, v3.18.5, v3.18.6, v3.19.0

Impact

During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart.

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Specific Go Packages Affected

helm.sh/helm/v3/pkg/chartutil

Workarounds

Manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

References:

Identifiers

GHSA-9vp5-m38w-j776

CVE-2020-15184

Risk

Severity

Low

EPSS

EPSS Percentage: 0.00234

EPSS Percentile: 0.4615

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/helm/helm

Date and time

Published

over 4 years ago

Updated

about 2 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories