QID 980045
QID 980045: Go (go) Security Update for helm.sh/helm/v3/pkg/plugin (GHSA-m54r-vrmv-hw33)
Security update has been released for helm.sh/helm/v3/pkg/plugin,helm.sh/helm,helm.sh/helm/v3 to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Security researchers at Trail of Bits discovered that plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`.
Solution
This issue has been patched in Helm 3.3.2.Workaround:
Do not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.
Do not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.
Vendor References
- GHSA-m54r-vrmv-hw33 -
github.com/advisories/GHSA-m54r-vrmv-hw33
CVEs related to QID 980045
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-m54r-vrmv-hw33 | helm.sh/helm |
github.com/advisories/GHSA-m54r-vrmv-hw33 |
|
| GHSA-m54r-vrmv-hw33 | helm.sh/helm/v3 |
github.com/advisories/GHSA-m54r-vrmv-hw33 |
|
| GHSA-m54r-vrmv-hw33 | helm.sh/helm/v3/pkg/plugin |
github.com/advisories/GHSA-m54r-vrmv-hw33 |