CVE-2021-21303Injection in Helm V3

CWE-74Injection8 documents6 sources
Severity
6.8MEDIUMNVD
CNA5.9
EPSS
0.4%
top 38.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Helm.sh Helm V3Helm
Timeline
PublishedFeb 5
Latest updateOct 18

Description

Helm is open-source software which is essentially "The Kubernetes Package Manager". Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. In Helm from version 3.0 and before version 3.5.2, there a few cases where data loaded from potentially untrusted sources was not properly sanitized. When a SemVer in the `version` field of a chart is invalid, in some cases Helm allows the string to be used "as is" without sanitizing. Helm fails to properly sanitized s

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:NExploitability: 2.3 | Impact: 4.0

Affected Packages3 packages

NVDhelm/helm3.0.03.5.2
Gohelm.sh/helm_v33.0.03.5.2
CVEListV5helm/helm> 3.0, < 3.5.2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Insufficient sanitization of data files in helm.sh/helm/v32022-10-18
GHSA
Improper Neutralization of Special Elements in Output in helm.sh/helm/v32021-06-23
OSV
Improper Neutralization of Special Elements in Output in helm.sh/helm/v32021-06-23
CVEList
Injection attack in Helm2021-02-05
OSV
CVE-2021-21303: Helm is open-source software which is essentially "The Kubernetes Package Manager"2021-02-05

📋Vendor Advisories

2
Microsoft
Injection attack in Helm2021-02-09
Red Hat
helm: Unsanitized data displayed directly to user's terminal2021-02-05
CVE-2021-21303 — Injection in Helm.sh Helm V3 | cvebase