CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposes sensitive credentials (Personal Access Token and SSH signing key) to fork-controlled code due to unsafe checkout and credential handling practices. This issue has been patched via commit fcf9302.
The generate-schema.yaml workflow performs code checkout in an unsafe manner, failing to properly isolate the execution environment from code originating from external repository forks. As a result, code submitted by an attacker via a pull request from a fork gains access to environment variables containing Personal Access Token (PAT) and SSH signing key. The attacker can thus obtain these credentials during CI/CD pipeline execution.
An attacker can seize the Personal Access Token and SSH key assigned to the repository, enabling unauthorized access to associated resources, code modification, or compromise of the software supply chain integrity.
The repository should be updated to the version containing commit fcf9302 (fcf930211604652aec15085895b6457bc8b73b54), which introduces a fix for secure credential handling in GitHub Actions workflows. Details available in vendor references (GHSA-r874-j8fr-x2pj).
CloudPirates Open Source Helm Charts – all versions before commit fcf930211604652aec15085895b6457bc8b73b54
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N