Helm Chart Extraction Directory Overwrite Vulnerability

A vulnerability exists in Helm, a package manager for Kubernetes, in versions 3.20.1 and prior, as well as 4.1.3 and prior. The issue arises when a specially crafted Chart is pulled using the 'helm pull --untar' command. Instead of extracting the Chart's contents into a subdirectory named after the Chart, the files are written directly to the specified output directory or the current working directory. This behavior can lead to unintentional overwriting of existing files. The vulnerability is caused by improper handling of Chart names that include dot-segments or slashes, which can manipulate the extraction path.

Impact

Exploitation of this vulnerability causes extracted Chart files to be written directly into the output directory, potentially overwriting existing files. This could disrupt workflows or cause loss of data.

Reproduction

To reproduce this vulnerability, create a Helm Chart with a name that includes a dot-segment (such as '.') or a dot-dot segment (such as '..'), or one that contains slashes. Then, use the 'helm pull --untar' command to extract the Chart. The contents will be written to the immediate output directory instead of a subdirectory named after the Chart, overwriting any existing files in that directory.

Remediation

Users can upgrade to Helm versions 3.20.2 or 4.1.4, where this vulnerability has been fixed. For those unable to upgrade, ensure that Chart names do not include dot-segments or slashes, and use a unique, empty output directory to prevent overwriting existing files.