{"id":"GO-2022-1040","summary":"Insufficient sanitization of data files in helm.sh/helm/v3","details":"Helm does not sanitize all fields read from repository data files. A maliciously crafted data file may contain strings containing arbitrary data. If printed to a terminal, a malicious string could obscure or alter data on the screen.","aliases":["BIT-helm-2021-21303","CVE-2021-21303","GHSA-c38g-469g-cmgx"],"modified":"2026-03-17T04:29:12.939588Z","published":"2022-10-18T15:14:31Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-1040","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-c38g-469g-cmgx"},{"type":"FIX","url":"https://github.com/helm/helm/commit/6ce9ba60b73013857e2e7c73d3f86ed70bc1ac9a"}],"affected":[{"package":{"name":"helm.sh/helm/v3","ecosystem":"Go","purl":"pkg:golang/helm.sh/helm/v3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.0.0"},{"fixed":"3.5.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["Chart.Validate","Metadata.Validate"],"path":"helm.sh/helm/v3/pkg/chart"},{"symbols":["FindPlugins","LoadAll","LoadDir","validatePluginData"],"path":"helm.sh/helm/v3/pkg/plugin"},{"symbols":["ChartRepository.DownloadIndexFile","ChartRepository.Index","ChartRepository.Load","FindChartInAuthAndTLSRepoURL","FindChartInAuthRepoURL","FindChartInRepoURL","IndexDirectory","IndexFile.Add","LoadIndexFile","loadIndex"],"path":"helm.sh/helm/v3/pkg/repo"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-1040.json"}}],"schema_version":"1.7.5"}