CVE-2020-4053
3.7
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| The Helm Project | Helm | >= 3.0.0, < 3.2.4 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f
- https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688
- https://github.com/helm/helm/releases/tag/v3.2.4
References
- https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f
- https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688
- https://github.com/helm/helm/releases/tag/v3.2.4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.