QID 980044
QID 980044: Go (go) Security Update for helm.sh/helm/v3/pkg/chartutil (GHSA-9vp5-m38w-j776)
Security update has been released for helm.sh/helm/v3/pkg/chartutil,helm.sh/helm,helm.sh/helm/v3 to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart.
Solution
This issue has been patched in Helm 3.3.2 and 2.16.11Workaround:
Manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.
Manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.
Vendor References
- GHSA-9vp5-m38w-j776 -
github.com/advisories/GHSA-9vp5-m38w-j776
CVEs related to QID 980044
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-9vp5-m38w-j776 | helm.sh/helm |
github.com/advisories/GHSA-9vp5-m38w-j776 |
|
| GHSA-9vp5-m38w-j776 | helm.sh/helm/v3 |
github.com/advisories/GHSA-9vp5-m38w-j776 |
|
| GHSA-9vp5-m38w-j776 | helm.sh/helm/v3/pkg/chartutil |
github.com/advisories/GHSA-9vp5-m38w-j776 |