CVE-2024-26147: 
Helm vulnerability analysis and mitigation

Helm, a package manager for Charts for Kubernetes, contains an uninitialized variable vulnerability in versions prior to 3.14.2 when parsing index and plugin yaml files missing expected content. The vulnerability was discovered by Jakub Ciolek at AlphaSense and was assigned CVE-2024-26147. The issue affects the parsing of index.yaml and plugin.yaml files when they are missing all metadata (GitHub Advisory).

The vulnerability occurs in the Helm SDK when using the LoadIndexFile or DownloadIndexFile functions in the repo package or the LoadDir function in the plugin package. The issue manifests as a panic condition when processing YAML files with missing metadata sections. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability affects all Helm functions related to adding a repository and can impact all Helm commands if a malicious plugin is present, as Helm inspects all known plugins on each invocation. This can lead to service disruption through panic conditions when processing malformed YAML files (GitHub Advisory).

The vulnerability has been patched in Helm version 3.14.2. For users unable to upgrade immediately, there are two workarounds: 1) If a malicious plugin is causing panics, it can be manually removed from the filesystem, and 2) When using Helm SDK versions prior to 3.14.2, calls to affected functions can implement recover to catch the panic (GitHub Advisory).