Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository

Summary The user-provided chart name in the kustomize manager is appended to the helm pull --untar command without proper sanitization. Details Adversaries can provide a maliciously crafted kustomization.yaml in conjunction with a Helm repo's index.yaml file to trick Renovate to execute arbitrary...

Use of Uninitialized Resource

Overview helm.sh/helm/v3/pkg/repo is a package manager for kubernetes. Affected versions of this package are vulnerable to Use of Uninitialized Resource via improper validation when parsing Chart.yaml and index.yaml files. An attacker can cause a panic in the application by providing malformed or...

CVE-2022-1025

A privilege escalation flaw was found in ArgoCD. This flaw allows a malicious user who has push access to an application's source git or Helm repository, or sync and override access, to perform actions they are not authorized to do. For example, if the attacker has update or delete access, they c...

Information Disclosure

github.com/helm/helm is vulnerable to information disclosure. The vulnerability exists because it does not limit passing of credentials such as the username and password associated with a Helm repository to another domain referenced by that Helm repository...

Helm 安全漏洞

Helm is a tool for managing charts pre-configured Kubernetes resource packages. Helm is vulnerable to an information disclosure vulnerability that stems from the possibility of username and password credentials being passed to another domain referenced by this helm repository. No detailed...