Helm Unsafe Link Following

GHSA-p5pc-m4q7-7qm9 · CVE-2019-18658 · GO-2023-1938

Published May 24, 2022 · Modified Aug 20, 2024

Description

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-18658
PACKAGE https://github.com/helm/helm
WEB https://helm.sh/blog/2019-10-30-helm-symlink-security-notice

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes