19 matches found
BIT-HELM-2026-35204 Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal in the version directive of a plugin.yaml. An attacker can overwrite arbitrary files on the filesystem with the contents of a plugin by installing or updating it while its plugin.yaml file contains malicious path...
EUVD-2021-1035
Malware in sbrugna...
EUVD-2024-0709
Malicious code in bioql PyPI...
GHSA-R53H-JV2G-VPX6 Helm's Missing YAML Content Leads To Panic
A Helm contributor discovered uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. Impact When either an index.yaml file or a plugins plugin.yaml file were missing all metadata a panic would occur in Helm. In the Helm SDK this is found when...
CVE-2024-26147
Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an index.yaml file or a plugins plugin.yaml file were missing all metadata a panic would...
AZL-38497 CVE-2024-26147 affecting package helm for versions less than 3.13.2-3
Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an index.yaml file or a plugins plugin.yaml file were missing all metadata a panic would...
CVE-2024-26147 Helm's Missing YAML Content Leads To Panic
Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an index.yaml file or a plugins plugin.yaml file were missing all metadata a panic would...
CVE-2024-26147 Helm's Missing YAML Content Leads To Panic
Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an index.yaml file or a plugins plugin.yaml file were missing all metadata a panic would...
CVE-2024-26147
CVE-2024-26147 affects Helm before 3.14.2. When Helm parses index.yaml or plugins/plugin.yaml with missing content, an uninitialized variable can cause a panic. In the Helm SDK this is exposed via LoadIndexFile, DownloadIndexFile, or LoadDir, and in the Helm client it can affect repo-adding workf...
Security Bulletin: Multiple vulnerabilities affect IBM Db2 On Openshift, IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data
Summary IBM has released the below fix for IBM Db2® On Openshift, IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components. Vulnerability Details CVEID:CVE-2020-15187 DESCRIPTION: Helm could allow a remote...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Helm is open-source software which is essentially "The Kubernetes Package Manager". Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. In Helm from version 3.0 and before version 3.5.2, there a few cases where data loaded from potentially untrusted...
GHSA-M54R-VRMV-HW33 Improper Sanitizing of plugin names in helm
Impact Security researchers at Trail of Bits discovered that plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to hel...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to helm --help. This issu...
CVE-2021-21303 Injection attack in Helm
Helm is open-source software which is essentially "The Kubernetes Package Manager". Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. In Helm from version 3.0 and before version 3.5.2, there a few cases where data loaded from potentially untrusted...
CVE-2020-15186
In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to helm --help. This issu...
Command Injection
github.com/helm/helm is vulnerable to command injection. The name and YAML data from the plugin.yaml is not sanitized when a plugin is loaded from a given directory. This allows an attacker to inject arbitrary characters to cause unexpected behaviors such as loading of malicious plugins or spoofi...
CVE-2020-15186
In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to helm --help. This issu...
CVE-2020-15186 Improper sanitization of plugin names in Helm
In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to helm --help. This issu...