Version 0.144.0 affected by critical go-getter (1.5.9) vulnerability #186
Replies: 2 comments
-
@BernhardGruen Welcome to create a PR. |
Beta Was this translation helpful? Give feedback.
0 replies
-
Version v0.145.0 is now released with go-getter v1.6.2 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hey,
Our trivy found out that helmfile (0.144.0 - newest version as of today) is affected by a critical vulnerability in go-getter.
These are the corresponding CVEs:
As helmfile is able to download from foreign sources I assume that helmfile could be tricked into downloading potential harmful files (i.e. via DNS spoofing) and then executing those files as well.
I already found out that a fixed version of go-getter is used in the repository but there was no new release. Based on the criticality of that vulnerability I think publishing a patched version of 0.144.0 would be beneficial.
Best regards,
Bernhard Grün
Beta Was this translation helpful? Give feedback.
All reactions