Helm

Findings · 14

1. 1 Helm does not warn the user about important file permissions that are too broad Low
2. 2 The ValidName Kubernetes resource name regex may lead to denial of service Low
3. 3 Helm's Mac OS build keeps a file descriptor to /etc/.mdns_debug file open if this file exists due to bug in mdns/lookup library Informational
4. 4 Lack of name validation in helm create command allows data to be injected into generated yaml files Low
5. 5 The helm create command does not overwrite files as stated in its help message Low
6. 6 The helm create command does not warn that a directory or file already exists Informational
7. 7 Helm executes VCS commands as external programs relying on user configuration Low
8. 8 Plugins can't be installed from VCS if URL ends with archive extractor’s extension Informational
9. 9 Plugin command name is not validated; can duplicate other plugin commands and Helm's top-level commands Medium
10. 10 The helm dependency list command won't print correct dependency status for certain dependency names Informational
11. 11 Path traversal through chart's dependency alias Medium
12. 12 Chart repository index.yaml file allows for duplicate entries Medium
13. 13 Adding helm repository may overwrite another one without warning Low
14. 14 Directories created via os.MkdirAll are not checked for permissions Low

Findings extracted from the published report PDF. See the full report below for details and remediation.