Описание
Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.
A command injection vulnerability has been identified in Helm, a package manager for Kubernetes. An attacker can craft a malicious Chart.yaml file with specially linked dependencies in a Chart.lock file. If the Chart.lock file is a symbolic link to an executable file, such as a shell script, and a user attempts to update the dependencies, the crafted content is written to the symlinked file and executed. This can lead to local code execution on the system. This issue has been patched in Helm version 3.18.4, and users should update to this version to mitigate the risk.
Отчет
Although GitOps ships Helm, this product is not vulnerable to this vulnerability as ArgoCD doesn't use helm dependency update. Additionally ArgoCD scans the whole repository searching for symbolic links that eventually points to a out of bounds destination, this later feature ensures ArgoCD is not vulnerable for this issue. Given this information ArgoCD won't be updated to pull a new version of Helm in other versions than the currently latest upstream one.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Deployment Validation Operator | dvo/deployment-validation-operator-bundle | Affected | ||
| Deployment Validation Operator | dvo/deployment-validation-rhel8-operator | Affected | ||
| Migration Toolkit for Applications 7 | mta/mta-cli-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/addon-manager-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/addon-manager-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/backplane-rhel8-operator | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/backplane-rhel9-operator | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/cluster-proxy-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/cluster-proxy-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hypershift-addon-rhel8-operator | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.5 High
CVSS3
Связанные уязвимости
Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.
Helm Chart Dependency Updating With Malicious Chart.yaml Content And Symlink Can Lead To Code Execution
Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, ...
Helm vulnerable to Code Injection through malicious chart.yaml content
EPSS
8.5 High
CVSS3