1882357 – (CVE-2020-15184) CVE-2020-15184 helm: Chart.yaml is not properly sanitized lead to injection of unwanted information into chart

Bug 1882357 (CVE-2020-15184) - CVE-2020-15184 helm: Chart.yaml is not properly sanitized lead to injection of unwanted information into chart

Summary: CVE-2020-15184 helm: Chart.yaml is not properly sanitized lead to injection o...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-15184
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1884133
Blocks:	1882307
TreeView+	depends on / blocked

Reported:	2020-09-24 11:12 UTC by Dhananjay Arunesh
Modified:	2021-12-15 02:48 UTC (History)
CC List:	15 users (show)
Fixed In Version:	helm 3.3.2, helm 2.16.11
Clone Of:
Environment:
Last Closed:	2021-10-28 05:03:28 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2020-09-24 11:12:55 UTC

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

References:
https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850
https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776

Note You need to log in before you can comment on or make changes to this bug.