Helm Improper YAML Validation Vulnerability Leading to Panic

A vulnerability in Helm, a package manager for Kubernetes, prior to version 3.18.5, allows for a panic to occur when improperly validated YAML files are parsed. This issue arises in 'Chart.yaml' and 'index.yaml' files. The vulnerability is triggered when a 'Chart.yaml' file contains a 'null' maintainer or when the 'child' or 'parent' fields of a dependency's 'import-values' are not strings. Similarly, 'index.yaml' files with empty chart version entries can cause a panic during repository interactions.

Impact

The vulnerability can cause Helm to panic, disrupting the use of the tool. This is particularly problematic when 'helm lint' is used, as the command will fail without completing its checks.

Reproduction

To reproduce this vulnerability, create a 'Chart.yaml' file with a 'null' maintainer entry or with 'child' or 'parent' values in the 'import-values' section that are not strings. Alternatively, an 'index.yaml' file can be used that contains an empty entry in the chart version list. When these files are processed with Helm versions through 3.18.4, the tool will panic.

Remediation

Users can update to Helm version 3.18.5, where this vulnerability has been patched. Instructions for updating can be found in the Helm GitHub repository.