chore(deps): update module helm.sh/helm/v3 to v3.14.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
helm.sh/helm/v3	v3.14.0 -> v3.14.1

GitHub Vulnerability Alerts

CVE-2024-25620

A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.

Impact

When either the Helm client or SDK is used to save a chart whose name within the Chart.yaml file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.

Patches

This issue has been resolved in Helm v3.14.1.

Workarounds

Check all charts used by Helm for path changes in their name as found in the Chart.yaml file. This includes dependencies.

Credits

Disclosed by Dominykas Blyžė at Nearform Ltd.

---

Helm dependency management path traversal

CVE-2024-25620 / GHSA-v53g-5gjp-272r

More information

Details

A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.

Impact

When either the Helm client or SDK is used to save a chart whose name within the Chart.yaml file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.

Patches

This issue has been resolved in Helm v3.14.1.

Workarounds

Check all charts used by Helm for path changes in their name as found in the Chart.yaml file. This includes dependencies.

Credits

Disclosed by Dominykas Blyžė at Nearform Ltd.

Severity

• CVSS Score: 6.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

• https://github.com/helm/helm/security/advisories/GHSA-v53g-5gjp-272r
• https://nvd.nist.gov/vuln/detail/CVE-2024-25620
• https://github.com/helm/helm/commit/0d0f91d1ce277b2c8766cdc4c7aa04dbafbf2503
• https://github.com/helm/helm
• https://github.com/helm/helm/releases/tag/v3.14.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

helm/helm (helm.sh/helm/v3)

v3.14.1: Helm v3.14.1

Compare Source

Helm v3.14.1 is a security (patch) release. Users are strongly recommended to update to this release.

A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.

Dominykas Blyžė with Nearform Ltd. discovered the vulnerability.

Installation and Upgrading

Download Helm v3.14.1. The common platform binaries are here:

• MacOS amd64 (checksum / 67928236b37c4e780b9fb5e614fb3b9aece90d60f0b1b4cb7406ee292c2dae3b)
• MacOS arm64 (checksum / 96468f927cc6efb4a2b92fd9419f40ed21d634af2f3e84fb8efa59526c7a003b)
• Linux amd64 (checksum / 75496ea824f92305ff7d28af37f4af57536bf5138399c824dff997b9d239dd42)
• Linux arm (checksum / f50c00c262b74435530e677bcec07637aaeda1ed92ef809b49581a4e6182cbbe)
• Linux arm64 (checksum / f865b8ad4228fd0990bbc5b50615eb6cb9eb31c9a9ca7238401ed897bbbe9033)
• Linux i386 (checksum / 3c94ed0601e0e62c195a7e9b75262b18128c8284662aa0e080bb548dc6d47bcd)
• Linux ppc64le (checksum / 4d853ab8fe3462287c7272fbadd5f73531ecdd6fa0db37d31630e41ae1ae21de)
• Linux s390x (checksum / 19bf07999c7244bfeb0fd27152919b9faa1148cf43910edbb98efa9150058a98)
• Linux riscv64 (checksum / 2660bd8eb37aafc071599b788a24bfe244e5d3ffa42da1599da5a5041dafa214)
• Windows amd64 (checksum / 8a6c78a23a4e497ad8bd288138588adb3e5b49be8dbe82a3200fe7b297dac184)

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.14.2 will contain only bug fixes and be released on March 13, 2024.
• 3.15.0 is the next feature release and will be on May 08, 2024.

---

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

Hey!

Your images are ready:

• ghcr.io/openclarity/vmclarity-apiserver-dev:pr1326-6f89ac24c3844bc2f90b621aa950540e276e0701
• ghcr.io/openclarity/vmclarity-cli-dev:pr1326-6f89ac24c3844bc2f90b621aa950540e276e0701
• ghcr.io/openclarity/vmclarity-cr-discovery-server-dev:pr1326-6f89ac24c3844bc2f90b621aa950540e276e0701
• ghcr.io/openclarity/vmclarity-orchestrator-dev:pr1326-6f89ac24c3844bc2f90b621aa950540e276e0701
• ghcr.io/openclarity/vmclarity-ui-dev:pr1326-6f89ac24c3844bc2f90b621aa950540e276e0701
• ghcr.io/openclarity/vmclarity-ui-backend-dev:pr1326-6f89ac24c3844bc2f90b621aa950540e276e0701