In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.
References
Link | Resource |
---|---|
https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688 | Patch |
https://github.com/helm/helm/releases/tag/v3.2.4 | Release Notes |
https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f | Vendor Advisory |
Configurations
History
08 Feb 2024, 02:11
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f - Vendor Advisory |
Information
Published : 2020-06-16 22:15
Updated : 2024-02-28 17:47
NVD link : CVE-2020-4053
Mitre link : CVE-2020-4053
CVE.ORG link : CVE-2020-4053
JSON object : View
Products Affected
helm
- helm
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')