ghsa-9vp5-m38w-j776
Vulnerability from github
Published
2021-05-24 16:56
Modified
2023-10-02 12:24
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Aliases are never checked in helm
Details

Impact

During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart.

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Specific Go Packages Affected

helm.sh/helm/v3/pkg/chartutil

Workarounds

Manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "helm.sh/helm/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "helm.sh/helm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.16.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T16:50:04Z",
    "nvd_published_at": "2020-09-17T21:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nDuring a security audit of Helm\u0027s code base, security researchers at Trail of Bits identified a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart.\n\n### Patches\n\nThis issue has been patched in Helm 3.3.2 and 2.16.11\n\n### Specific Go Packages Affected\nhelm.sh/helm/v3/pkg/chartutil\n\n### Workarounds\n\nManually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.",
  "id": "GHSA-9vp5-m38w-j776",
  "modified": "2023-10-02T12:24:31Z",
  "published": "2021-05-24T16:56:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15184"
    },
    {
      "type": "WEB",
      "url": "https://github.com/helm/helm/commit/6aab63765f99050b115f0aec3d6350c85e8da946"
    },
    {
      "type": "WEB",
      "url": "https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/helm/helm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Aliases are never checked in helm"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.