search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
562 stars 58 forks source link

x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/plugin/installer: GHSA-qq3j-xp49-j73f #1423

Closed GoVulnBot closed 1 year ago

GoVulnBot commented 1 year ago

In GitHub Security Advisory GHSA-qq3j-xp49-j73f, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
helm.sh/helm/v3/pkg/plugin/installer 3.2.4 >= 3.0.0, < 3.2.4

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: 3.0.0
        fixed: 3.2.4
    packages:
      - package: helm.sh/helm/v3/pkg/plugin/installer
description: "The Helm core maintainers have identified an information disclosure\nvulnerability
    in Helm 3.0.0-3.2.3. \n\n### Impact\n\nA traversal attack is possible when installing
    Helm plugins from a tar\narchive over HTTP.  It is possible for a malicious plugin
    author to inject a relative\npath into a plugin archive, and copy a file outside
    of the intended directory.\n\nTraversal Attacks are a form of a Directory Traversal
    that can be exploited by\nextracting files from an archive. The premise of the
    Directory Traversal\nvulnerability is that an attacker can gain access to parts
    of the file system\noutside of the target folder in which they should reside.
    The attacker can\nthen overwrite executable files and either invoke them remotely
    or wait for\nthe system or user to call them, thus achieving Remote Command Execution
    on\nthe victim's machine. The vulnerability can also cause damage by overwriting\nconfiguration
    files or other sensitive resources, and can be exploited on both\nclient (user)
    machines and servers.\n\nhttps://snyk.io/research/zip-slip-vulnerability\n\n###
    Patches\n\nThis issue has been fixed in Helm 3.2.4 \n\n### For more information\nIf
    you have any questions or comments about this advisory:\n* Open an issue in [the
    Helm repository](https://github.com/helm/helm/issues)\n* For security-specific
    issues, email us at [cncf-helm-security@lists.cncf.io](mailto:cncf-helm-security@lists.cncf.io)"
cves:
  - CVE-2020-4053
ghsas:
  - GHSA-qq3j-xp49-j73f
tatianab commented 1 year ago

Duplicate of https://github.com/golang/vulndb/issues/868