Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl2cDUtbTM4dy1qNzc2
Aliases are never checked in helm
Impact
During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the alias
field on a Chart.yaml
is not properly sanitized. This could lead to the injection of unwanted information into a chart.
Patches
This issue has been patched in Helm 3.3.2 and 2.16.11
Specific Go Packages Affected
helm.sh/helm/v3/pkg/chartutil
Workarounds
Manually review the dependencies
field of any untrusted chart, verifying that the alias
field is either not used, or (if used) does not contain newlines or path characters.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl2cDUtbTM4dy1qNzc2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 3 years ago
Updated: 7 months ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-9vp5-m38w-j776, CVE-2020-15184
References:
- https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776
- https://nvd.nist.gov/vuln/detail/CVE-2020-15184
- https://github.com/helm/helm/commit/6aab63765f99050b115f0aec3d6350c85e8da946
- https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850
- https://github.com/advisories/GHSA-9vp5-m38w-j776
Blast Radius: 13.7
Affected Packages
go:helm.sh/helm
Dependent packages: 46Dependent repositories: 48
Downloads:
Affected Version Ranges: < 2.16.11
Fixed in: 2.16.11
All affected versions: 1.2.1, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.15.2, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.16.9, 2.16.10
All unaffected versions: 2.16.11, 2.16.12, 2.17.0
go:helm.sh/helm/v3
Dependent packages: 1,580Dependent repositories: 5,000
Downloads:
Affected Version Ranges: >= 3.0.0, < 3.3.2
Fixed in: 3.3.2
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1
All unaffected versions: 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 3.8.2, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.14.0