Incorrect vulnerability details for helm.sh/helm/v3 [CVE-2018-1714] CWE-269: Improper Privilege Management

[tateexon]

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/CVE-2018-1714?component-type=golang&component-name=helm.sh%2Fhelm%2Fv3&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.33

Description Both the helm github tickets:

• https://github.com/helm/helm/issues/813
• https://github.com/helm/helm/issues/4163

Have been closed. Are these still the correct tickets to track this issue since the issue is still showing as present on the latest version of helm v3.9.0? It is fully possible this is still an issue but we may want to make a new ticket if it still needs to be fixed otherwise it will just live on forever.

[ken-duck]

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

OSS Index only supports go mod packages, and from our database it seems that github.com/helm/helm only has a single go.mod version (v1.2.1). Our research indicates that version is vulnerable to CWE-269 (Improper Privilege Management).

I cannot at the current time say whether the issue has been fixed in any newer versions of Helm, nor whether it is appropriate to create new issue reports for the Helm project.

[ken-duck]

This past year among other changes we upgraded the OSS Index vulnerability database. The new database has significantly more vulnerabilities, is much more actively maintained, and has more in depth research on many of the issues. The issue reported here was resolved in the new database and as such we are closing the issue.

For the record, we are migrating to a new email-based reporting system in order to better mesh with our internal processes, which will allow us to be more reactive to our users.