GHSA-m54r-vrmv-hw33
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m54r-vrmv-hw33
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-m54r-vrmv-hw33/GHSA-m54r-vrmv-hw33.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m54r-vrmv-hw33
- Aliases
- Published
- 2021-05-24T16:57:12Z
- Modified
- 2023-12-06T00:45:14.999193Z
- Severity
-
- 3.4 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N CVSS Calculator
- Summary
- Improper Sanitizing of plugin names in helm
- Details
-
Impact
Security researchers at Trail of Bits discovered that plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to
helm --help.Specific Go Packages Affected
helm.sh/helm/v3/pkg/plugin
Patches
This issue has been patched in Helm 3.3.2.
Workarounds
Do not install untrusted Helm plugins. Examine the
namefield in theplugin.yamlfile for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range. - References
Affected packages
Go / helm.sh/helm/v3
Package
- Name
- helm.sh/helm/v3
- View open source insights on deps.dev
- Purl
- pkg:golang/helm.sh/helm/v3
Go / helm.sh/helm
Package
- Name
- helm.sh/helm
- View open source insights on deps.dev
- Purl
- pkg:golang/helm.sh/helm