GHSA-rqgv-292v-5qgr: Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases
Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands.
References
- github.com/advisories/GHSA-rqgv-292v-5qgr
- github.com/renovatebot/renovate
- github.com/renovatebot/renovate/blob/23f3df6216375cb5bcfe027b0faee304f877f891/lib/modules/manager/helmv3/artifacts.ts
- github.com/renovatebot/renovate/commit/1e941fd885c799f2d38f4084a6f4cb9438813c8f
- github.com/renovatebot/renovate/security/advisories/GHSA-rqgv-292v-5qgr
Code Behaviors & Features
Detect and mitigate GHSA-rqgv-292v-5qgr with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →