Bug 1930336 (CVE-2021-21303) - CVE-2021-21303 helm: Unsanitized data displayed directly to user's terminal
Summary: CVE-2021-21303 helm: Unsanitized data displayed directly to user's terminal
Status: NEW
Alias: CVE-2021-21303
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1935832 1935833 1935834
Blocks: 1930338
TreeView+ depends on / blocked
Reported: 2021-02-18 17:11 UTC by Michael Kaplan
Modified: 2021-03-05 16:31 UTC (History)
6 users (show)

Fixed In Version: helm 3.5.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-02-18 17:11:38 UTC
In Helm from version 3.0 and before version 3.5.2, there a few cases where data loaded from potentially untrusted sources was not properly sanitized. When a SemVer in the `version` field of a chart is invalid, in some cases Helm allows the string to be used "as is" without sanitizing. Helm fails to properly sanitize some fields present on Helm repository `index.yaml` files. Helm does not properly sanitize some fields in the `plugin.yaml` file for plugins In some cases, Helm does not properly sanitize the fields in the `Chart.yaml` file. By exploiting these attack vectors, core maintainers were able to send deceptive information to a terminal screen running the `helm` command, as well as obscure or alter information on the screen. In some cases, we could send codes that terminals used to execute higher-order logic, like clearing a terminal screen. Further, during evaluation, the Helm maintainers discovered a few other fields that were not properly sanitized when read out of repository index files.

Note You need to log in before you can comment on or make changes to this bug.