x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-xrxm-mvqm-r553 #1948

GoVulnBot · 2023-07-19T22:01:32Z

In GitHub Security Advisory GHSA-xrxm-mvqm-r553, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
helm.sh/helm/v3	2.12.2	>= 2.0.0, < 2.12.2

Cross references:

Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/chartutil: GHSA-9vp5-m38w-j776 #817 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/plugin: GHSA-c52f-pq47-2r9j #820 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/repo: GHSA-jm56-5h66-w453 #851 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/plugin: GHSA-m54r-vrmv-hw33 #856 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-q8q8-93cv-v6h8 #864 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/plugin/installer: GHSA-qq3j-xp49-j73f #868 NOT_IMPORTABLE
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-56hp-xqp3-w2jf #384
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in github.com/helm/helm: CVE-2022-36055 #962
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-c38g-469g-cmgx #1040
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-53c4-hhmh-vw5q #1165
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-67fx-wx78-jx33 #1166
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-6rx9-889q-vv2r #1167
Module helm.sh/helm/v3 appears in issue x/vulndb: potential Go vuln in github.com/helm/helm: CVE-2023-25165 #1547

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: helm.sh/helm/v3
      versions:
        - introduced: 2.0.0
          fixed: 2.12.2
      packages:
        - package: helm.sh/helm/v3
summary: Helm Path Traversal
description: |-
    All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22:
    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that
    can result when chart archive files are unpacked a file may be unpacked outside
    of the target directory. This attack appears to be exploitable via a victim must
    run a helm command on a specially crafted chart archive. This vulnerability
    appears to have been fixed in 2.12.2.
cves:
    - CVE-2019-1000008
ghsas:
    - GHSA-xrxm-mvqm-r553
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2019-1000008
    - web: https://helm.sh/blog/helm-security-notice-2019/index.html
    - advisory: https://github.com/advisories/GHSA-xrxm-mvqm-r553

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-07-31T20:51:03Z

Change https://go.dev/cl/514636 mentions this issue: data/excluded: batch add 31 excluded reports

gopherbot · 2024-06-14T17:49:49Z

Change https://go.dev/cl/592762 mentions this issue: data/reports: unexclude 75 reports

gopherbot · 2024-08-20T16:54:30Z

Change https://go.dev/cl/606788 mentions this issue: data/reports: unexclude 20 reports (8)

- data/reports/GO-2023-1912.yaml - data/reports/GO-2023-1915.yaml - data/reports/GO-2023-1919.yaml - data/reports/GO-2023-1922.yaml - data/reports/GO-2023-1924.yaml - data/reports/GO-2023-1925.yaml - data/reports/GO-2023-1927.yaml - data/reports/GO-2023-1928.yaml - data/reports/GO-2023-1931.yaml - data/reports/GO-2023-1932.yaml - data/reports/GO-2023-1936.yaml - data/reports/GO-2023-1938.yaml - data/reports/GO-2023-1939.yaml - data/reports/GO-2023-1940.yaml - data/reports/GO-2023-1942.yaml - data/reports/GO-2023-1945.yaml - data/reports/GO-2023-1946.yaml - data/reports/GO-2023-1948.yaml - data/reports/GO-2023-1950.yaml - data/reports/GO-2023-1952.yaml Updates #1912 Updates #1915 Updates #1919 Updates #1922 Updates #1924 Updates #1925 Updates #1927 Updates #1928 Updates #1931 Updates #1932 Updates #1936 Updates #1938 Updates #1939 Updates #1940 Updates #1942 Updates #1945 Updates #1946 Updates #1948 Updates #1950 Updates #1952 Change-Id: Id25f09c8f7270af68238752db96d6a399b91ef36 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606788 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>

neild self-assigned this Jul 31, 2023

neild added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jul 31, 2023

gopherbot closed this as completed in 2439098 Jul 31, 2023

GoVulnBot mentioned this issue Mar 5, 2024

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-jw44-4f3j-q396 #2607

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-xrxm-mvqm-r553 #1948

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-xrxm-mvqm-r553 #1948

GoVulnBot commented Jul 19, 2023

gopherbot commented Jul 31, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-xrxm-mvqm-r553 #1948

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-xrxm-mvqm-r553 #1948

Comments

GoVulnBot commented Jul 19, 2023

gopherbot commented Jul 31, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024