CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26147 – Helm's Missing YAML Content Leads To Panic
https://notcve.org/view.php?id=CVE-2024-26147
21 Feb 2024 — Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this im... • https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af • CWE-457: Use of Uninitialized Variable •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25620 – Dependency management path traversal in helm
https://notcve.org/view.php?id=CVE-2024-25620
14 Feb 2024 — Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. • https://github.com/helm/helm/commit/0d0f91d1ce277b2c8766cdc4c7aa04dbafbf2503 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32690 – Repository credentials passed to alternate domain
https://notcve.org/view.php?id=CVE-2021-32690
16 Jun 2021 — Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository ... • https://github.com/helm/helm/releases/tag/v3.6.1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15187 – Duplicate plugin entries in Helm
https://notcve.org/view.php?id=CVE-2020-15187
17 Sep 2020 — In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm ... • https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-694: Use of Multiple Resources with Duplicate Identifier •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15186 – Improper sanitization of plugin names in Helm
https://notcve.org/view.php?id=CVE-2020-15186
17 Sep 2020 — In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._... • https://github.com/helm/helm/commit/809e2d999e2c33e20e77f6bff30652d79c287542 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15185 – Duplicated chart entries in Helm
https://notcve.org/view.php?id=CVE-2020-15185
17 Sep 2020 — In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index ... • https://github.com/helm/helm/commit/055dd41cbe53ce131ab0357524a7f6729e6e40dc • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-694: Use of Multiple Resources with Duplicate Identifier •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15184 – Aliases are never checked in Helm
https://notcve.org/view.php?id=CVE-2020-15184
17 Sep 2020 — In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters. En Helm versiones anteriores a 2.16.11 y 3.3.2, se p... • https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18658
https://notcve.org/view.php?id=CVE-2019-18658
12 Nov 2019 — In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue. En Helm versiones 2.x anteriores a 2.15.2, los comandos que se ocupan de cargar un gráfico como un directorio o empaquetar un gráfico... • https://helm.sh/blog/2019-10-30-helm-symlink-security-notice • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1010275
https://notcve.org/view.php?id=CVE-2019-1010275
17 Jul 2019 — helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2. helm anterior a versión 2.7.2, está afectado por: CWE-295: Comprobación d... • https://github.com/helm/helm/pull/3152 • CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-1000008
https://notcve.org/view.php?id=CVE-2019-1000008
04 Feb 2019 — All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that can result when chart archive files are unpacked a file may be unpacked outside of the target directory. This attack appears to be exploitable via a victim must run a helm command on a specially crafted chart archive. This vulnerability appears to have been fixed in 2.12.2. Tod... • https://helm.sh/blog/helm-security-notice-2019/index.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •