CVE-2024-3817 on helmfile

Question

CVE-2024-3817 on helmfile

Closed this issue 5 months ago · 5 comments

LionnelC commented 5 months ago

Operating system

Alpine 3.19.1

Helmfile Version

0.163.1

Helm Version

None

Bug description

A Trivy analysis on this version of helmfile detect this CVE:

┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817 │ CRITICAL │ v1.7.3 │ 1.7.4 │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│ │ │ │ │ │ injection ... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-3817 │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Fixed version 1.7.4 is already upgrade on master. Please produce a new release.

Example helmfile.yaml

No specific.

Error message you've seen (if any)

No error

Steps to reproduce

docker build . -t helmfile; trivy image helmfile (trivy 0.43.1)

Working Helmfile Version

None

Relevant discussion

No response

Answer 1 · 2024-04-24T15:43:49.000Z

It seems that github.com/hashicorp/go-getter has already been updated to a fixed version (1.7.4): 8f6c4b9

I guess all we need is a new release? 🙂

Answer 2 · 2024-04-25T09:33:58.000Z

@yxxhero do you think a new release is possible with current master version ?

Answer 3 · 2024-04-25T09:36:23.000Z

@LionnelC I think so. maybe next week.

Answer 4 · 2024-05-02T07:03:14.000Z

Hey all!
Can we close this as we've already released helmfile v1.0.0-rc.0 and v0.164.0 containing go-getter 1.7.4?
Could anyone confirm?

Answer 5 · 2024-05-02T07:26:48.000Z

I confirm. Thanks a lot !