Vulnerability Description
In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Helm | Helm | >= 3.0.0, < 3.2.4 |
Related Weaknesses (CWE)
References
- https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688Patch
- https://github.com/helm/helm/releases/tag/v3.2.4Release Notes
- https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73fVendor Advisory
- https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688Patch
- https://github.com/helm/helm/releases/tag/v3.2.4Release Notes
- https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73fVendor Advisory
FAQ
What is CVE-2020-4053?
CVE-2020-4053 is a vulnerability with a CVSS score of 3.7 (LOW). In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author ...
How severe is CVE-2020-4053?
CVE-2020-4053 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-4053?
Check the references section above for vendor advisories and patch information. Affected products include: Helm Helm.