blob: e8c499ececdc7a82952b2795193ef1591319967a [file] [log] [blame]
id: GO-2022-0384
modules:
- module: helm.sh/helm/v3
versions:
- fixed: 3.6.1
vulnerable_at: 3.6.0
packages:
- package: helm.sh/helm/v3/pkg/downloader
symbols:
- ChartDownloader.ResolveChartVersion
derived_symbols:
- ChartDownloader.DownloadTo
- Manager.Build
- Manager.Update
summary: Repository credentials passed to alternate domain in helm.sh/helm/v3
description: |-
The username and password credentials associated with a Helm repository can be
passed to another domain referenced by that Helm repository.
If the index.yaml for a Helm repository is hosted on one domain and references a
chart archive on a different domain, Helm will provide the credentials for the
index.yaml's domain when fetching those archives.
published: 2022-07-15T23:29:45Z
cves:
- CVE-2021-32690
ghsas:
- GHSA-56hp-xqp3-w2jf
- GHSA-7jr6-prv4-5wf5
references:
- advisory: https://github.com/advisories/GHSA-56hp-xqp3-w2jf
- fix: https://github.com/helm/helm/commit/61d8e8c4a6f95540c15c6a65f36a6dd0a45e7a2f
review_status: REVIEWED