The vulnerability of the package manager for Kubernetes Helm, related to incorrect path name restrictions for restricted access directories, allows a malicious actor to save Helm Charts outside of the expected directory.

🗓️ 14 Jun 2024 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 1 Views

Kubernetes Helm has a path restriction flaw that allows charts outside the expected directory.

Reporter	Title	Published	Views	Family All 77
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps	15 Apr 202503:03	–	ibm
Tenable Nessus	Azure Linux 3.0 Security Update: cert-manager / helm (CVE-2024-25620)	10 Feb 202500:00	–	nessus
Tenable Nessus	CBL Mariner 2.0 Security Update: cert-manager / helm (CVE-2024-25620)	19 Aug 202400:00	–	nessus
Tenable Nessus	SUSE SLES15 / openSUSE 15 Security Update : helm (SUSE-SU-2024:1137-1)	9 Apr 202400:00	–	nessus
Tenable Nessus	SUSE SLES15 / openSUSE 15 : Recommended update for helm (SUSE-SU-SUSE-RU-2024:4213-1)	11 Dec 202400:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2024-25620	21 Aug 202500:00	–	nessus
CBLMariner	CVE-2024-25620 affecting package cert-manager for versions less than 1.11.2-12	18 Aug 202414:44	–	cbl_mariner
CBLMariner	CVE-2024-25620 affecting package cert-manager for versions less than 1.12.12-2	25 Aug 202415:13	–	cbl_mariner
CBLMariner	CVE-2024-25620 affecting package helm for versions less than 3.13.2-3	21 Jun 202409:32	–	cbl_mariner
Chainguard	CVE-2024-25620 vulnerabilities	15 Feb 202400:15	–	cgr

Vulners

Node

linux helmRange<3.14.1

Source	Link
github	www.github.com/helm/helm/commit/0d0f91d1ce277b2c8766cdc4c7aa04dbafbf2503
github	www.github.com/helm/helm/security/advisories/GHSA-v53g-5gjp-272r
web	www.web.nvd.nist.gov/view/vuln/detail

14 Jun 2024 00:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 25.5

CVSS 36.4

EPSS0.00168

Kubernetes Helm path restriction restricted directory store outside directory vulnerability