Path Traversal in Helm Plugin Archive
CVE-2020-4053

3.7LOW

Key Information:

Vendor

The Helm Project

Status
Helm
Vendor
CVE Published:
16 June 2020

What is CVE-2020-4053?

In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.

Affected Version(s)

Helm >= 3.0.0, < 3.2.4

References

https://github.com/helm/helm/security/advisories/GHSA-qq3...
x_refsource_CONFIRM
https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5...
x_refsource_MISC
https://github.com/helm/helm/releases/tag/v3.2.4
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.