In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.
References
Link | Resource |
---|---|
https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850 | Patch Third Party Advisory |
https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2020-09-17T20:40:12
Updated: 2020-09-17T20:40:12
Reserved: 2020-06-25T00:00:00
Link: CVE-2020-15184
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-09-17T21:15:17.550
Modified: 2021-11-18T17:50:32.987
Link: CVE-2020-15184
JSON object: View
Redhat Information
No data.