2.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
18.1%
During a security audit of Helm’s code base, security researchers at Trail of Bits identified a bug in which the alias
field on a Chart.yaml
is not properly sanitized. This could lead to the injection of unwanted information into a chart.
This issue has been patched in Helm 3.3.2 and 2.16.11
Manually review the dependencies
field of any untrusted chart, verifying that the alias
field is either not used, or (if used) does not contain newlines or path characters.
CPE | Name | Operator | Version |
---|---|---|---|
helm.sh/helm | lt | 2.16.11 | |
helm.sh/helm/v3 | lt | 3.3.2 |
2.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
18.1%