| id: GO-2024-2575 |
| modules: |
| - module: helm.sh/helm/v3 |
| versions: |
| - fixed: 3.14.2 |
| vulnerable_at: 3.14.1 |
| packages: |
| - package: helm.sh/helm/v3/pkg/plugin |
| symbols: |
| - validatePluginData |
| derived_symbols: |
| - FindPlugins |
| - LoadAll |
| - LoadDir |
| - package: helm.sh/helm/v3/pkg/repo |
| symbols: |
| - loadIndex |
| derived_symbols: |
| - ChartRepository.DownloadIndexFile |
| - ChartRepository.Load |
| - FindChartInAuthAndTLSAndPassRepoURL |
| - FindChartInAuthAndTLSRepoURL |
| - FindChartInAuthRepoURL |
| - FindChartInRepoURL |
| - LoadIndexFile |
| summary: Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3 |
| cves: |
| - CVE-2024-26147 |
| ghsas: |
| - GHSA-r53h-jv2g-vpx6 |
| unknown_aliases: |
| - BIT-helm-2024-26147 |
| credits: |
| - Jakub Ciolek at AlphaSense |
| references: |
| - advisory: https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6 |
| - fix: https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af |
| source: |
| id: GHSA-r53h-jv2g-vpx6 |
| created: 2024-07-01T14:57:47.79335-04:00 |
| review_status: REVIEWED |
