pipe-cd · Szarny · Jun 10, 2022 · Jun 10, 2022 · Jun 10, 2022 · Jun 10, 2022
@@ -8,12 +8,34 @@ description: >
 
 ## Changelog since v0.32.4
 
+### Breaking Changes
+
+According to a recently discovered [vulnerability](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24348), it reveals that the existence of a directory traversal vulnerability when an arbitrary path can be specified as the Helm values file path.
+
+For this reason, PipeCD has restricted the path that can be specified as the values file path to the directory where the application configuration exists (aka. the application directory) when a local path is specified by [#3726](https://github.com/pipe-cd/pipecd/pull/3726).
+
+Therefore, for example, in the following specification of values file paths, the first three are allowed, but the last two are not.
+
+```yaml
+helmOptions:
+  valueFiles:
+    # allowed
+    - values.yaml
+    - ./foo/bar/values.yaml
+    - /path/to/application-directory/values.yaml
+
+    # disallowed
+    - ../../../../path/to/OTHER-application-directory-or-such/values.yaml
+    - /path/to/OTHER-application-directory-or-such/values.yaml
+```
+
+For more information, please see [HelmOptions configuration reference](https://pipecd.dev/docs/user-guide/configuration-reference/#helmoptions).
+
 ### Notable Changes
 
 * Sort the application suggestion name in application filter form ([#3740](https://github.com/pipe-cd/pipecd/pull/3740))
 * Make piped upgrade version input box selectable ([#3734](https://github.com/pipe-cd/pipecd/pull/3734))
 * Add feature to show piped config on web console ([#3673](https://github.com/pipe-cd/pipecd/pull/3673))
-* Add validation to helm values file path to prevent potential dirtrav vulnerability ([#3726](https://github.com/pipe-cd/pipecd/pull/3726))
 
 ### Internal Changes