CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens without requiring maintainer approval. This issue has been patched via commit fcf9302.
The GitHub Actions workflow named pull-request.yaml was configured in a way that allowed execution of code from external fork pull requests in a privileged CI/CD environment context. An attacker could submit a crafted pull request from a forked repository, and the code would subsequently be executed automatically with access to repository secrets. This mechanism required no interaction or approval from the project maintainer, making the attack fully autonomous. The vulnerability is classified as CWE-94 (improper control of code generation), meaning inadequate control over executed external code.
An attacker gains access to sensitive repository secrets, including tokens and authentication credentials for Docker Hub, which could lead to account takeover in container registries and potential poisoning of publicly available Docker images.
Update the repository to a version containing commit fcf930211604652aec15085895b6457bc8b73b54 or newer. The fix was introduced directly in this commit. Additionally, it is recommended to rotate all secrets and tokens (including Docker Hub credentials) stored in the repository as a precautionary measure in case the vulnerability was previously exploited.
CloudPirates Open Source Helm Charts in all versions preceding commit fcf9302 in the CloudPirates-io/helm-charts GitHub repository
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N