CVE-2019-1000008

{"id": "CVE-2019-1000008", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-02-04T21:29:00.910", "references": [{"url": "https://helm.sh/blog/helm-security-notice-2019/index.html", "tags": ["Mitigation", "Exploit", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that can result when chart archive files are unpacked a file may be unpacked outside of the target directory. This attack appears to be exploitable via a victim must run a helm command on a specially crafted chart archive. This vulnerability appears to have been fixed in 2.12.2."}, {"lang": "es", "value": "Todas las versiones de Helm entre la 2.0.0 (incluida) y la 2.12.2 contienen una vulnerabilidad CWE-22: limitaci\u00f3n incorrecta de un nombre de ruta hacia un directorio restringido (salto de directorio) en los comandos helm fetch --untar y helm lint some.tgz. Esta vulnerabilidad puede desencadenarse cuando los archivos comprimidos chart se descomprimen, ya que un archivo podr\u00eda descomprimirse fuera del directorio objetivo. El ataque parece ser explotable si una v\u00edctima ejecuta un comando de helm en un archivo comprimido chart especialmente manipulado. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 2.12.2."}], "lastModified": "2019-02-15T15:20:10.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7232EE4B-57DF-4F3A-9DC0-698DE50600B7", "versionEndExcluding": "2.12.2", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}