Описание
Aliases are never checked in helm
Impact
During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart.
Patches
This issue has been patched in Helm 3.3.2 and 2.16.11
Specific Go Packages Affected
helm.sh/helm/v3/pkg/chartutil
Workarounds
Manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.
Пакеты
helm.sh/helm/v3
>= 3.0.0, < 3.3.2
3.3.2
helm.sh/helm
< 2.16.11
2.16.11
Связанные уязвимости
In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.
In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.
In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the ...
Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package