Vulnerability CVE-2020-4053: Information
Description
In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.
Severity: MEDIUM (6.8) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
helm | sisyphus | 3.4.1-alt1 | 3.12.0-alt1 | ALT-PU-2020-3396-1 | 262339 | Fixed |
helm | p10 | 3.4.1-alt1 | 3.10.2-alt1 | ALT-PU-2020-3396-1 | 262339 | Fixed |
helm | p9 | 3.4.1-alt1 | 3.4.1-alt1 | ALT-PU-2020-3416-1 | 262344 | Fixed |
helm | c10f1 | 3.4.1-alt1 | 3.10.2-alt1 | ALT-PU-2020-3396-1 | 262339 | Fixed |
helm | c9f2 | 3.4.1-alt1 | 3.4.1-alt1 | ALT-PU-2022-1250-1 | 293762 | Fixed |
helm | p11 | 3.4.1-alt1 | 3.12.0-alt1 | ALT-PU-2020-3396-1 | 262339 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688 |
|
https://github.com/helm/helm/releases/tag/v3.2.4 |
|
https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f |
|