CVE-2019-18658

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-18658

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18658.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-18658

Aliases

Related

Withdrawn

2024-05-15T05:33:17.307406Z

Published

2019-11-12T14:15:11Z

Modified

2024-08-20T20:58:38.061127Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue.

References

https://helm.sh/blog/2019-10-30-helm-symlink-security-notice/

Affected packages

Git / github.com/helm/helm

Affected ranges

Type: GIT
Repo: https://github.com/helm/helm
Events: Introduced

51bdad42756dfaf3234f53ef3d3cb6bcd94144c2

Fixed

8dce272473e5f2a7bf58ce79bb5c3691db54c96b

Affected versions

v2.*

v2.0.0

v2.1.0

v2.10.0-rc.1

v2.10.0-rc.2

v2.15.0

v2.15.0-rc.1

v2.15.0-rc.2

v2.15.1

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v2.7.0-rc1

v2.8.0-rc.1