CVE-2024-25620

Name of the Vulnerable Software and Affected Versions Helm versions prior to 3.14.1

Description The issue is related to the Helm client or SDK saving a chart outside its expected directory based on changes in the relative path within the Chart.yaml file. This occurs when the chart's name includes a relative path change, which is not detected by validation and linting. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. The vulnerability allows a remote attacker to save a Helm chart outside its expected directory, potentially leading to unauthorized access or modifications. Technical details about exploitation include the use of relative path changes in the chart's name within the Chart.yaml file, which can lead to path traversal.

Recommendations For versions prior to 3.14.1, update to Helm v3.14.1 to resolve the issue. As a temporary workaround, check all charts used by Helm for path changes in their name as found in the Chart.yaml file, including dependencies.