CVE-2019-18658Link Following in Helm

CWE-59Link Following5 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.6%
top 31.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Helm.sh HelmHelm
Timeline
PublishedNov 12
Latest updateAug 20

Description

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDhelm/helm2.0.02.15.2
Gohelm.sh/helm2.0.0+incompatible2.15.2+incompatible+1

🔴Vulnerability Details

4
OSV
Helm Unsafe Link Following in helm.sh/helm2024-08-20
OSV
Helm Unsafe Link Following2022-05-24
GHSA
Helm Unsafe Link Following2022-05-24
CVEList
CVE-2019-18658: In Helm 22019-11-12
CVE-2019-18658 — Link Following in Helm.sh Helm | cvebase