CVE-2020-4053

In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.
Configurations

Configuration 1 (hide)

cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:32

Type Values Removed Values Added
CVSS v2 : 8.5
v3 : 6.8
v2 : 8.5
v3 : 3.7
References () https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688 - Patch () https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688 - Patch
References () https://github.com/helm/helm/releases/tag/v3.2.4 - Release Notes () https://github.com/helm/helm/releases/tag/v3.2.4 - Release Notes
References () https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f - Vendor Advisory () https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f - Vendor Advisory

08 Feb 2024, 02:11

Type Values Removed Values Added
References (CONFIRM) https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f - Third Party Advisory (CONFIRM) https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f - Vendor Advisory

Information

Published : 2020-06-16 22:15

Updated : 2024-11-21 05:32


NVD link : CVE-2020-4053

Mitre link : CVE-2020-4053

CVE.ORG link : CVE-2020-4053


JSON object : View

Products Affected

helm

  • helm
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')