Vulnerability CVE-2020-4053: Information

Description

In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.

Severity: MEDIUM (6.8) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-4053
Published: June 17, 2020
Modified: Feb. 8, 2024
Error type identifier: CWE-22

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
helmsisyphus3.4.1-alt13.12.0-alt1ALT-PU-2020-3396-1262339Fixed
helmp103.4.1-alt13.10.2-alt1ALT-PU-2020-3396-1262339Fixed
helmp93.4.1-alt13.4.1-alt1ALT-PU-2020-3416-1262344Fixed
helmc10f13.4.1-alt13.10.2-alt1ALT-PU-2020-3396-1262339Fixed
helmc9f23.4.1-alt13.4.1-alt1ALT-PU-2022-1250-1293762Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688
  • Patch
https://github.com/helm/helm/releases/tag/v3.2.4
  • Release Notes
https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f
  • Vendor Advisory

    1. Configuration 1

      cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*
      Start including
      3.0.0
      End excliding
      3.2.4
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.1
Back to top