4.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
IBM Cloud Private is vulnerable to Helm vulnerabilities
CVEID:CVE-2020-15187
**DESCRIPTION:**Helm could allow a remote authenticated attacker to bypass security restrictions, caused by an issue with containing duplicates of the same entry in the plugin.yaml file. By sending a specially-crafted input, an attacker could exploit this vulnerability to modify a pluginโs install hooks to perform a local execution attackโฆ
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188456 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2020-15186
**DESCRIPTION:**Helm could allow a remote attacker to bypass security restrictions, caused by improper input valuation by the plugin names. By sending a specially-crafted input, an attacker could exploit this vulnerability to duplicate the name of another plugin or spoofing the output to helm --help.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188455 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2020-15185
**DESCRIPTION:**Helm could allow a remote authenticated attacker to bypass security restrictions, caused by an issue with allowing duplicates of the same chart entry in the repository index file. By sending a specially-crafted input, an attacker could exploit this vulnerability to inject a bad chart into a repository.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188454 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2020-15184
**DESCRIPTION:**Helm could allow a remote attacker to bypass security restrictions, caused by improper input valuation by the alias field on a Chart.yaml. By sending a specially-crafted input, an attacker could exploit this vulnerability to inject unwanted information into a chart.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188453 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Cloud Private | 3.2.1 CD |
IBM Cloud Private | 3.2.2 CD |
Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
For IBM Cloud Private 3.2.1, apply fix pack:
For IBM Cloud Private 3.2.2, apply fix pack:
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0:
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud private | eq | 3.2.1 | |
ibm cloud private | eq | 3.2.2 |
4.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P