CVE Vulnerability

CVE-2020-4053

In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.

8.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

6.8 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688 Patch Third Party Advisory
https://github.com/helm/helm/releases/tag/v3.2.4 Release Notes Third Party Advisory
https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*
Information

Published : 2020-06-16 10:15

Updated : 2020-07-06 04:47

NVD link : CVE-2020-4053

Mitre link : CVE-2020-4053

Products Affected
No products.
CWE
CWE-23

Relative Path Traversal