CVE-2019-18658

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Helm versions 2.x through 2.15.1

Description The issue allows a maliciously designed chart to include sensitive content, such as /etc/passwd, or to execute a denial of service (DoS) via a special file, like /dev/urandom, using symlinks. This is a client-only issue and does not affect any version of Tiller.

Recommendations For Helm versions 2.x through 2.15.1, update to version 2.15.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of symlinks in charts to minimize the risk of exploitation. Avoid using commands that deal with loading a chart as a directory or packaging a chart from untrusted sources until the issue is resolved.

Fix

DoS

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59

Related Identifiers

ALT-PU-2020-1538

ALT-PU-2020-2339

CVE-2019-18658

GHSA-P5PC-M4Q7-7QM9

GO-2023-1938

OPENSUSE-SU-2022_1888-1

OPENSUSE-SU-2024:10842-1

SUSE-SU-2022:1888-1

SUSE-SU-2022_1888-1

Affected Products

Alt Linux

Helm

Suse

CVE-2019-18658

Weakness Enumeration

Related Identifiers

Affected Products

References · 17