x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-p5pc-m4q7-7qm9 #1938

GoVulnBot · 2023-07-18T00:01:24Z

In GitHub Security Advisory GHSA-p5pc-m4q7-7qm9, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
helm.sh/helm/v3	2.15.2	>= 2.0.0, < 2.15.2

Cross references:

Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/chartutil: GHSA-9vp5-m38w-j776 #817 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/plugin: GHSA-c52f-pq47-2r9j #820 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/repo: GHSA-jm56-5h66-w453 #851 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/plugin: GHSA-m54r-vrmv-hw33 #856 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-q8q8-93cv-v6h8 #864 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/plugin/installer: GHSA-qq3j-xp49-j73f #868 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-56hp-xqp3-w2jf #384
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in github.com/helm/helm: CVE-2022-36055 #962
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-c38g-469g-cmgx #1040
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-53c4-hhmh-vw5q #1165
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-67fx-wx78-jx33 #1166
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-6rx9-889q-vv2r #1167
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in github.com/helm/helm: CVE-2023-25165 #1547

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: helm.sh/helm/v3
      versions:
        - introduced: 2.0.0
          fixed: 2.15.2
      packages:
        - package: helm.sh/helm/v3
summary: Helm Unsafe Link Following
description: |-
    In Helm 2.x before 2.15.2, commands that deal with loading a chart as a
    directory or packaging a chart provide an opportunity for a maliciously designed
    chart to include sensitive content such as /etc/passwd, or to execute a denial
    of service (DoS) via a special file such as /dev/urandom, via symlinks. No
    version of Tiller is known to be impacted. This is a client-only issue.
cves:
    - CVE-2019-18658
ghsas:
    - GHSA-p5pc-m4q7-7qm9
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2019-18658
    - web: https://helm.sh/blog/2019-10-30-helm-symlink-security-notice/
    - advisory: https://github.com/advisories/GHSA-p5pc-m4q7-7qm9

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-07-25T21:19:41Z

Change https://go.dev/cl/513195 mentions this issue: data/excluded: batch add 26 excluded reports

gopherbot · 2024-06-14T17:44:24Z

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

gopherbot · 2024-08-20T16:54:26Z

Change https://go.dev/cl/606788 mentions this issue: data/reports: unexclude 20 reports (8)

- data/reports/GO-2023-1912.yaml - data/reports/GO-2023-1915.yaml - data/reports/GO-2023-1919.yaml - data/reports/GO-2023-1922.yaml - data/reports/GO-2023-1924.yaml - data/reports/GO-2023-1925.yaml - data/reports/GO-2023-1927.yaml - data/reports/GO-2023-1928.yaml - data/reports/GO-2023-1931.yaml - data/reports/GO-2023-1932.yaml - data/reports/GO-2023-1936.yaml - data/reports/GO-2023-1938.yaml - data/reports/GO-2023-1939.yaml - data/reports/GO-2023-1940.yaml - data/reports/GO-2023-1942.yaml - data/reports/GO-2023-1945.yaml - data/reports/GO-2023-1946.yaml - data/reports/GO-2023-1948.yaml - data/reports/GO-2023-1950.yaml - data/reports/GO-2023-1952.yaml Updates #1912 Updates #1915 Updates #1919 Updates #1922 Updates #1924 Updates #1925 Updates #1927 Updates #1928 Updates #1931 Updates #1932 Updates #1936 Updates #1938 Updates #1939 Updates #1940 Updates #1942 Updates #1945 Updates #1946 Updates #1948 Updates #1950 Updates #1952 Change-Id: Id25f09c8f7270af68238752db96d6a399b91ef36 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606788 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>

neild self-assigned this Jul 25, 2023

neild added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jul 25, 2023

gopherbot closed this as completed in c30dc8f Jul 25, 2023

GoVulnBot mentioned this issue Mar 5, 2024

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-jw44-4f3j-q396 #2607

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-p5pc-m4q7-7qm9 #1938

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-p5pc-m4q7-7qm9 #1938

GoVulnBot commented Jul 18, 2023

gopherbot commented Jul 25, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-p5pc-m4q7-7qm9 #1938

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-p5pc-m4q7-7qm9 #1938

Comments

GoVulnBot commented Jul 18, 2023

gopherbot commented Jul 25, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024