CVE-2024-3817 on helmfile
Closed this issue · 5 comments
Operating system
Alpine 3.19.1
Helmfile Version
0.163.1
Helm Version
None
Bug description
A Trivy analysis on this version of helmfile detect this CVE:
┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817 │ CRITICAL │ v1.7.3 │ 1.7.4 │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│ │ │ │ │ │ injection ... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-3817 │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Fixed version 1.7.4 is already upgrade on master. Please produce a new release.
Example helmfile.yaml
No specific.
Error message you've seen (if any)
No error
Steps to reproduce
docker build . -t helmfile; trivy image helmfile (trivy 0.43.1)
Working Helmfile Version
None
Relevant discussion
No response
It seems that github.com/hashicorp/go-getter has already been updated to a fixed version (1.7.4): 8f6c4b9
I guess all we need is a new release? 🙂
Hey all!
Can we close this as we've already released helmfile v1.0.0-rc.0 and v0.164.0 containing go-getter 1.7.4?
Could anyone confirm?
I confirm. Thanks a lot !