Dependency management path traversal in helm
Description
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the Chart.yaml file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the Chart.yaml file. This includes dependencies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
helm.sh/helm/v3Go | < 3.14.1 | 3.14.1 |
Affected products
159- osv-coords158 versionspkg:apk/chainguard/cert-manager-1.12pkg:apk/chainguard/cert-manager-1.12-acmesolverpkg:apk/chainguard/cert-manager-1.12-cainjectorpkg:apk/chainguard/cert-manager-1.12-controllerpkg:apk/chainguard/cert-manager-1.12-webhookpkg:apk/chainguard/cert-manager-1.13pkg:apk/chainguard/cert-manager-1.13-acmesolverpkg:apk/chainguard/cert-manager-1.13-cainjectorpkg:apk/chainguard/cert-manager-1.13-controllerpkg:apk/chainguard/cert-manager-1.13-webhookpkg:apk/chainguard/cert-manager-1.14pkg:apk/chainguard/cert-manager-1.14-acmesolverpkg:apk/chainguard/cert-manager-1.14-cainjectorpkg:apk/chainguard/cert-manager-1.14-controllerpkg:apk/chainguard/cert-manager-1.14-startupapicheckpkg:apk/chainguard/cert-manager-1.14-webhookpkg:apk/chainguard/cert-manager-acmesolver-1.12pkg:apk/chainguard/cert-manager-acmesolver-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-acmesolver-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-acmesolver-fips-1.12pkg:apk/chainguard/cert-manager-cainjector-1.12pkg:apk/chainguard/cert-manager-cainjector-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-cainjector-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-cainjector-fips-1.12pkg:apk/chainguard/cert-manager-controller-1.12pkg:apk/chainguard/cert-manager-controller-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-controller-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-controller-fips-1.12pkg:apk/chainguard/cert-manager-fips-1.12pkg:apk/chainguard/cert-manager-fips-1.12-acmesolverpkg:apk/chainguard/cert-manager-fips-1.12-cainjectorpkg:apk/chainguard/cert-manager-fips-1.12-cmctlpkg:apk/chainguard/cert-manager-fips-1.12-controllerpkg:apk/chainguard/cert-manager-fips-1.12-webhookpkg:apk/chainguard/cert-manager-fips-1.13pkg:apk/chainguard/cert-manager-fips-1.13-acmesolverpkg:apk/chainguard/cert-manager-fips-1.13-cainjectorpkg:apk/chainguard/cert-manager-fips-1.13-cmctlpkg:apk/chainguard/cert-manager-fips-1.13-controllerpkg:apk/chainguard/cert-manager-fips-1.13-webhookpkg:apk/chainguard/cert-manager-webhook-1.12pkg:apk/chainguard/cert-manager-webhook-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-webhook-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-webhook-fips-1.12pkg:apk/chainguard/chartmuseumpkg:apk/chainguard/cilium-clipkg:apk/chainguard/cmctl-1.12pkg:apk/chainguard/cmctl-1.12-fipspkg:apk/chainguard/cmctl-1.13pkg:apk/chainguard/cmctl-1.13-fipspkg:apk/chainguard/cmctl-1.14pkg:apk/chainguard/cmctl-fips-1.12pkg:apk/chainguard/eksctlpkg:apk/chainguard/fluxcd-source-controller-bitnami-compatpkg:apk/chainguard/flux-helm-controllerpkg:apk/chainguard/flux-helm-controller-bitnami-compatpkg:apk/chainguard/flux-helm-controller-iamguarded-compatpkg:apk/chainguard/flux-source-controllerpkg:apk/chainguard/flux-source-controller-bitnami-compatpkg:apk/chainguard/flux-source-controller-iamguarded-compatpkg:apk/chainguard/helm-fipspkg:apk/chainguard/helm-fips-3pkg:apk/chainguard/helm-fips-4pkg:apk/chainguard/helm-operatorpkg:apk/chainguard/helm-operator-compatpkg:apk/chainguard/helm-pushpkg:apk/chainguard/istio-cni-fips-1.20pkg:apk/chainguard/istio-cni-fips-1.20-compatpkg:apk/chainguard/istio-fips-1.20pkg:apk/chainguard/istio-install-cni-fips-1.20pkg:apk/chainguard/istio-install-cni-fips-1.20-compatpkg:apk/chainguard/istio-operator-1.19pkg:apk/chainguard/istio-operator-1.20pkg:apk/chainguard/istio-operator-fips-1.19pkg:apk/chainguard/istio-operator-fips-1.20pkg:apk/chainguard/istio-pilot-agent-fips-1.20pkg:apk/chainguard/istio-pilot-agent-fips-1.20-compatpkg:apk/chainguard/istio-pilot-discovery-fips-1.20pkg:apk/chainguard/k8sgptpkg:apk/chainguard/k9spkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/chainguard/kubescapepkg:apk/chainguard/kubevelapkg:apk/chainguard/kubevela-vela-clipkg:apk/chainguard/kubevela-vela-corepkg:apk/chainguard/kubevela-vela-core-compatpkg:apk/chainguard/trivypkg:apk/chainguard/uppkg:apk/chainguard/vela-clipkg:apk/chainguard/vela-corepkg:apk/chainguard/zarfpkg:apk/chainguard/zotpkg:apk/wolfi/cert-manager-1.12pkg:apk/wolfi/cert-manager-1.12-acmesolverpkg:apk/wolfi/cert-manager-1.12-cainjectorpkg:apk/wolfi/cert-manager-1.12-controllerpkg:apk/wolfi/cert-manager-1.12-webhookpkg:apk/wolfi/cert-manager-1.13pkg:apk/wolfi/cert-manager-1.13-acmesolverpkg:apk/wolfi/cert-manager-1.13-cainjectorpkg:apk/wolfi/cert-manager-1.13-controllerpkg:apk/wolfi/cert-manager-1.13-webhookpkg:apk/wolfi/cert-manager-1.14pkg:apk/wolfi/cert-manager-1.14-acmesolverpkg:apk/wolfi/cert-manager-1.14-cainjectorpkg:apk/wolfi/cert-manager-1.14-controllerpkg:apk/wolfi/cert-manager-1.14-startupapicheckpkg:apk/wolfi/cert-manager-1.14-webhookpkg:apk/wolfi/chartmuseumpkg:apk/wolfi/cilium-clipkg:apk/wolfi/cmctl-1.12pkg:apk/wolfi/cmctl-1.13pkg:apk/wolfi/cmctl-1.14pkg:apk/wolfi/eksctlpkg:apk/wolfi/fluxcd-source-controller-bitnami-compatpkg:apk/wolfi/flux-helm-controllerpkg:apk/wolfi/flux-helm-controller-bitnami-compatpkg:apk/wolfi/flux-helm-controller-iamguarded-compatpkg:apk/wolfi/flux-source-controllerpkg:apk/wolfi/flux-source-controller-bitnami-compatpkg:apk/wolfi/flux-source-controller-iamguarded-compatpkg:apk/wolfi/helm-operatorpkg:apk/wolfi/helm-operator-compatpkg:apk/wolfi/helm-pushpkg:apk/wolfi/istio-operator-1.19pkg:apk/wolfi/istio-operator-1.20pkg:apk/wolfi/k8sgptpkg:apk/wolfi/k9spkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:apk/wolfi/kubescapepkg:apk/wolfi/kubevelapkg:apk/wolfi/kubevela-vela-clipkg:apk/wolfi/kubevela-vela-corepkg:apk/wolfi/kubevela-vela-core-compatpkg:apk/wolfi/trivypkg:apk/wolfi/uppkg:apk/wolfi/vela-clipkg:apk/wolfi/vela-corepkg:apk/wolfi/zarfpkg:apk/wolfi/zotpkg:bitnami/helmpkg:golang/helm.sh/helm/v3pkg:rpm/opensuse/helm3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helm&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/helm&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/helm&distro=openSUSE%20Leap%20Micro%205.5pkg:rpm/opensuse/helm&distro=openSUSE%20Tumbleweedpkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP5pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP6pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/helm&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/helm&distro=SUSE%20Linux%20Micro%206.1
< 1.12.7-r4+ 157 more
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.13.3-r4
- (no CPE)range: < 1.13.3-r4
- (no CPE)range: < 1.13.3-r4
- (no CPE)range: < 1.13.3-r4
- (no CPE)range: < 1.13.3-r4
- (no CPE)range: < 1.13.3-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 0.16.1-r2
- (no CPE)range: < 0.15.23-r1
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.13.3-r4
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 0.172.0-r1
- (no CPE)range: < 1.2.4-r1
- (no CPE)range: < 0.37.4-r1
- (no CPE)range: < 0.37.4-r1
- (no CPE)range: < 0.37.4-r1
- (no CPE)range: < 1.2.4-r1
- (no CPE)range: < 1.2.4-r1
- (no CPE)range: < 1.2.4-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.33.0-r2
- (no CPE)range: < 1.33.0-r2
- (no CPE)range: < 0.10.4-r2
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 1.19.7-r1
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 1.19.7-r1
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 0.3.27-r1
- (no CPE)range: < 0.31.9-r0
- (no CPE)range: < 1.107.4-r0
- (no CPE)range: < 1.107.4-r0
- (no CPE)range: < 1.107.4-r0
- (no CPE)range: < 3.0.3-r8
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 0.49.1-r1
- (no CPE)range: < 0.24.1-r1
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 0.32.3-r1
- (no CPE)range: < 2.0.1-r3
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 0.16.1-r2
- (no CPE)range: < 0.15.23-r1
- (no CPE)range: < 1.12.7-r4
- (no CPE)range: < 1.13.3-r3
- (no CPE)range: < 1.14.2-r1
- (no CPE)range: < 0.172.0-r1
- (no CPE)range: < 1.2.4-r1
- (no CPE)range: < 0.37.4-r1
- (no CPE)range: < 0.37.4-r1
- (no CPE)range: < 0.37.4-r1
- (no CPE)range: < 1.2.4-r1
- (no CPE)range: < 1.2.4-r1
- (no CPE)range: < 1.2.4-r1
- (no CPE)range: < 1.33.0-r2
- (no CPE)range: < 1.33.0-r2
- (no CPE)range: < 0.10.4-r2
- (no CPE)range: < 1.19.7-r1
- (no CPE)range: < 1.20.3-r1
- (no CPE)range: < 0.3.27-r1
- (no CPE)range: < 0.31.9-r0
- (no CPE)range: < 1.107.4-r0
- (no CPE)range: < 1.107.4-r0
- (no CPE)range: < 1.107.4-r0
- (no CPE)range: < 3.0.3-r8
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 0.49.1-r1
- (no CPE)range: < 0.24.1-r1
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 1.10.0-r0
- (no CPE)range: < 0.32.3-r1
- (no CPE)range: < 2.0.1-r3
- (no CPE)range: < 3.14.1
- (no CPE)range: < 3.14.1
- (no CPE)range: < 3.19.2-1.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.14.2-2.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.16.3-150000.1.38.1
- (no CPE)range: < 3.17.2-1.1
- (no CPE)range: < 3.17.2-slfo.1.1_1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-v53g-5gjp-272rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-25620ghsaADVISORY
- github.com/helm/helm/commit/0d0f91d1ce277b2c8766cdc4c7aa04dbafbf2503ghsax_refsource_MISCWEB
- github.com/helm/helm/releases/tag/v3.14.1ghsaWEB
- github.com/helm/helm/security/advisories/GHSA-v53g-5gjp-272rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.