Lucene search

[email protected]CVE-2020-4053

HistoryJun 16, 2020 - 10:15 p.m.

CVE-2020-4053

2020-06-1622:15:10

CWE-22

[email protected]

web.nvd.nist.gov

cve-2020-4053

helm

path traversal

security vulnerability

file copy

nvd

8.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

6.4 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.5%

JSON

In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.

Affected configurations

Vulners

NVD

Node

the_helm_projecthelmRange3.0.0–3.2.4

CPENameOperatorVersion
helm:helmhelmlt3.2.4

CPE	Name	Operator	Version
helm:helm	helm	lt	3.2.4

CNA Affected

[
  {
    "product": "Helm",
    "vendor": "The Helm Project",
    "versions": [
      {
        "status": "affected",
        "version": ">= 3.0.0, < 3.2.4"
      }
    ]
  }
]