Skip to content

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-56hp-xqp3-w2jf #384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Mar 24, 2022 · 3 comments
Closed

x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-56hp-xqp3-w2jf #384

GoVulnBot opened this issue Mar 24, 2022 · 3 comments
Assignees
@neild
Labels
NeedsReport

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-56hp-xqp3-w2jf, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
helm.sh/helm/v3 3.6.1 < 3.6.1

See doc/triage.md for instructions on how to triage this report.

package: helm.sh/helm/v3
versions:
  - introduced: v0.0.0
    fixed: v3.6.1
description: |
    While working on the Helm source, a Helm core maintainer discovered a situation where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository.

    ### Impact

    The `index.yaml` within a Helm chart repository contains a reference where to get the chart archive for each version of a chart. The reference can be relative to the `index.yaml` file or a URL to location. The URL can point to any domain and this is a feature leveraged by Helm users. For example, an `index.yaml` file can be hosted on GitHub pages while the chart archives are hosted as GitHub releases. These are on different domain names and the `index.yaml` file points to the other domain.

    When a username and password were associated with a Helm repository the username and password were also passed on to other domains referenced in the `index.yaml` file. This occurred when Helm went to retrieve a specific chart archive on the other domain.

    ### Patches

    This issue has been resolved in 3.6.1.

    There is a slight behavior change to credential handling with regard to repositories. Usernames and passwords are only passed to the URL location of the Helm repository by default. The username and password are scoped to the scheme, host, and port of the Helm repository. To pass the username and password to other domains Helm may encounter when it goes to retrieve a chart, the new `--pass-credentials` flag can be used. This flag restores the old behavior for a single repository as an opt-in behavior.

    ### Workarounds

    If you use a username and password for a Helm repository you can audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed the credentials would have been passed on.

    ### For more information

    Helm's security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document.
published: 2021-06-23T18:14:15Z
last_modified: 2021-06-23T18:14:15Z
ghsas:
  - GHSA-56hp-xqp3-w2jf
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/416518 mentions this issue: x/vulndb: add reports/GO-2022-0384.yaml for GHSA-56hp-xqp3-w2jf

@neild neild self-assigned this Jul 8, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/423038 mentions this issue: reports: add missing GHSAs

gopherbot pushed a commit that referenced this issue Aug 12, 2022
@julieqiu
reports: add missing GHSAs
46c14cb 
For #57
For #380
For #384
For #386
For #402
For #534

Change-Id: I953da31e396f0afae72e8d4e2fc7bc51fb303570
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/423038
Reviewed-by: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Julie Qiu <[email protected]>
Run-TryBot: Julie Qiu <[email protected]>
@tatianab tatianab mentioned this issue Nov 18, 2022
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/451281 mentions this issue: data/reports: update GO-2022-0384.yaml and delete dupe GO-2022-0918

gopherbot pushed a commit that referenced this issue Nov 18, 2022
@tatianab
data/reports: update GO-2022-0384.yaml and delete dupe GO-2022-0918
1532d16 
Add advisory link for GO-2022-0384 and delete GO-2022-0918 which is a
duplicate of it.

Aliases: CVE-2021-32690, GHSA-56hp-xqp3-w2jf, GHSA-7jr6-prv4-5wf5

Updates #384, #918

Change-Id: Iad28e1aeea5587d8ee49680a2fd28494f3b14bda
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/451281
Run-TryBot: Tatiana Bradley <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
This was referenced Jul 18, 2023
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Mar 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
NeedsReport
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @rolandshoemaker @gopherbot @GoVulnBot