Bug 2264336 (CVE-2024-25620)

Summary: CVE-2024-25620 helm: Dependency management path traversal
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alcohan, amctagga, anjoseph, dfreiber, dkenigsb, drow, eglynn, fdeutsch, gparvin, jburrell, jjoyce, jprabhak, jschluet, jwendell, lbainbri, lhh, lsvaty, manissin, mburns, mgarciac, muagarwa, njean, odf-bz-bot, oramraz, owatkins, pahickey, pgrist, rcernich, rgarg, rhaigner, rhos-maint, sapillai, sidakwo, smullick, stirabos, thason, tnielsen, twalsh, vkumar, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: helm 3.14.1 Doc Type: ---
Doc Text:
A path traversal vulnerability was found in Helm when it saved a chart including download time. When either the Helm client or SDK is used to save a chart whose name is within the Chart.yaml file and includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2264339, 2264340, 2264341    
Bug Blocks: 2264337    

Description Avinash Hanwate 2024-02-15 05:06:04 UTC 
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies.

https://github.com/helm/helm/commit/0d0f91d1ce277b2c8766cdc4c7aa04dbafbf2503
https://github.com/helm/helm/security/advisories/GHSA-v53g-5gjp-272r
Comment 2 errata-xmlrpc 2024-03-14 14:48:37 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2024:1328 https://access.redhat.com/errata/RHSA-2024:1328
Comment 3 errata-xmlrpc 2024-03-19 00:19:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1255 https://access.redhat.com/errata/RHSA-2024:1255
Comment 4 errata-xmlrpc 2024-05-21 09:38:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2865 https://access.redhat.com/errata/RHSA-2024:2865
Comment 9 errata-xmlrpc 2024-06-27 12:38:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.12
  Red Hat OpenShift GitOps 1.12 - RHEL 9

Via RHSA-2024:4163 https://access.redhat.com/errata/RHSA-2024:4163
Comment 10 errata-xmlrpc 2024-07-18 13:37:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.11

Via RHSA-2024:4626 https://access.redhat.com/errata/RHSA-2024:4626
Comment 11 errata-xmlrpc 2024-10-01 17:30:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:3718 https://access.redhat.com/errata/RHSA-2024:3718