-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm.sh/helm/v3-v3.10.3: 5 vulnerabilities (highest severity is: 8.1) #23
Comments
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
Vulnerable Library - helm.sh/helm/v3-v3.10.3
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.10.3.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/helm.sh/helm/v3/@v/v3.10.3.mod
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-36623
Vulnerable Library - github.com/Docker/Docker-v20.10.18+incompatible
Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://proxy.golang.org/github.com/!docker/!docker/@v/v20.10.18+incompatible.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/docker/docker/@v/v20.10.18+incompatible.mod
Dependency Hierarchy:
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Found in base branch: main
Vulnerability Details
moby v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.
Publish Date: 2024-11-29
URL: CVE-2024-36623
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://gist.github.com/1047524396/c192c0159a19bf58a4373b696467dc29
Release Date: 2024-11-29
Fix Resolution: github.com/moby/moby-v25.0.4
Step up your Open Source Security Game with Mend here
CVE-2024-26147
Vulnerable Library - helm.sh/helm/v3-v3.10.3
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.10.3.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/helm.sh/helm/v3/@v/v3.10.3.mod
Dependency Hierarchy:
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Found in base branch: main
Vulnerability Details
Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an
index.yaml
file or a pluginsplugin.yaml
file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using theLoadIndexFile
orDownloadIndexFile
functions in therepo
package or theLoadDir
function in theplugin
package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can userecover
to catch the panic.Publish Date: 2024-02-21
URL: CVE-2024-26147
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-r53h-jv2g-vpx6
Release Date: 2024-02-21
Fix Resolution: v3.14.2
Step up your Open Source Security Game with Mend here
CVE-2024-36621
Vulnerable Library - github.com/Docker/Docker-v20.10.18+incompatible
Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://proxy.golang.org/github.com/!docker/!docker/@v/v20.10.18+incompatible.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/docker/docker/@v/v20.10.18+incompatible.mod
Dependency Hierarchy:
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Found in base branch: main
Vulnerability Details
moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.
Publish Date: 2024-11-29
URL: CVE-2024-36621
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2024-11-29
Fix Resolution: github.com/moby/moby-v25.0.5
Step up your Open Source Security Game with Mend here
CVE-2024-25620
Vulnerable Library - helm.sh/helm/v3-v3.10.3
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.10.3.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/helm.sh/helm/v3/@v/v3.10.3.mod
Dependency Hierarchy:
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Found in base branch: main
Vulnerability Details
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the
Chart.yaml
file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in theChart.yaml
file. This includes dependencies.Publish Date: 2024-02-14
URL: CVE-2024-25620
CVSS 3 Score Details (6.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-25620
Release Date: 2024-02-14
Fix Resolution: v3.14.1
Step up your Open Source Security Game with Mend here
CVE-2023-25173
Vulnerable Library - github.com/Containerd/Containerd-v1.6.15
Library home page: https://proxy.golang.org/github.com/!containerd/!containerd/@v/v1.6.15.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/containerd/containerd/@v/v1.6.15.mod
Dependency Hierarchy:
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Found in base branch: main
Vulnerability Details
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.
This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the
"USER $USERNAME"
Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar toENTRYPOINT ["su", "-", "user"]
to allowsu
to properly set up supplementary groups.Publish Date: 2023-02-16
URL: CVE-2023-25173
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-hmfx-3pcx-653p
Release Date: 2023-02-16
Fix Resolution: v1.5.18,v1.6.18
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: