CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36055 – Denial of service in Helm
https://notcve.org/view.php?id=CVE-2022-36055
01 Sep 2022 — Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. • https://github.com/helm/helm/releases/tag/v3.9.4 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 2CVE-2022-31549
https://notcve.org/view.php?id=CVE-2022-31549
11 Jul 2022 — The olmax99/helm-flask-celery repository before 2022-05-25 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio olmax99/helm-flask-celery versiones anteriores a 25-05-2022 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32690 – Repository credentials passed to alternate domain
https://notcve.org/view.php?id=CVE-2021-32690
16 Jun 2021 — Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository ... • https://github.com/helm/helm/releases/tag/v3.6.1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21303 – Injection attack in Helm
https://notcve.org/view.php?id=CVE-2021-21303
05 Feb 2021 — Helm is open-source software which is essentially "The Kubernetes Package Manager". Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. In Helm from version 3.0 and before version 3.5.2, there a few cases where data loaded from potentially untrusted sources was not properly sanitized. When a SemVer in the `version` field of a chart is invalid, in some cases Helm allows the string to be used "as is" without sanitizing. • https://github.com/helm/helm/commit/6ce9ba60b73013857e2e7c73d3f86ed70bc1ac9a • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15187 – Duplicate plugin entries in Helm
https://notcve.org/view.php?id=CVE-2020-15187
17 Sep 2020 — In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm ... • https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-694: Use of Multiple Resources with Duplicate Identifier •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15186 – Improper sanitization of plugin names in Helm
https://notcve.org/view.php?id=CVE-2020-15186
17 Sep 2020 — In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._... • https://github.com/helm/helm/commit/809e2d999e2c33e20e77f6bff30652d79c287542 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15185 – Duplicated chart entries in Helm
https://notcve.org/view.php?id=CVE-2020-15185
17 Sep 2020 — In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index ... • https://github.com/helm/helm/commit/055dd41cbe53ce131ab0357524a7f6729e6e40dc • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-694: Use of Multiple Resources with Duplicate Identifier •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15184 – Aliases are never checked in Helm
https://notcve.org/view.php?id=CVE-2020-15184
17 Sep 2020 — In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters. En Helm versiones anteriores a 2.16.11 y 3.3.2, se p... • https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-4053 – Path Traversal in Helm Plugin Archive
https://notcve.org/view.php?id=CVE-2020-4053
16 Jun 2020 — In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4. En Helm versiones superiores o iguales a 3.0.0 y menores a 3.2.4, es posible un ataque de salto de ruta al instalar plugins de Helm desde un archivo tar por medio de HTTP. Es posible... • https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11013 – lookup Function Information Discolosure in Helm
https://notcve.org/view.php?id=CVE-2020-11013
24 Apr 2020 — Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. `lookup` is a Helm template function introduced in Helm v3. It is able to lookup resources in the cluster to check for the existence of specific resources and get details about them. This can be used as part of the process to render templates. The documented behavior of `helm template` states that it does not attach to a remote cluster. • https://github.com/helm/helm/releases/tag/v3.2.0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •