CVE-2020-4053

Name of the Vulnerable Software and Affected Versions Helm versions 3.0.0 through 3.2.3

Description A path traversal attack is possible when installing Helm plugins from a tar archive over HTTP, allowing a malicious plugin author to inject a relative path into a plugin archive and copy a file outside of the intended directory. This issue can lead to information disclosure and potentially allow an attacker to overwrite executable files, configuration files, or other sensitive resources, resulting in remote command execution on the victim's machine.

Recommendations For Helm versions 3.0.0 through 3.2.3, update to version 3.2.4 to resolve the issue. As a temporary workaround, consider avoiding the installation of Helm plugins from tar archives over HTTP until the update is applied. Restrict access to the helm.sh/helm/v3/pkg/plugin/installer package to minimize the risk of exploitation. Avoid using HTTP for installing Helm plugins from tar archives until the issue is resolved.