Bug 1882357 (CVE-2020-15184) - CVE-2020-15184 helm: Chart.yaml is not properly sanitized lead to injection of unwanted information into chart
Summary: CVE-2020-15184 helm: Chart.yaml is not properly sanitized lead to injection o...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-15184
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1884133
Blocks: 1882307
TreeView+ depends on / blocked
 
Reported: 2020-09-24 11:12 UTC by Dhananjay Arunesh
Modified: 2021-12-15 02:48 UTC (History)
15 users (show)

Fixed In Version: helm 3.3.2, helm 2.16.11
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-28 05:03:28 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-09-24 11:12:55 UTC
In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

References:
https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850
https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776


Note You need to log in before you can comment on or make changes to this bug.