Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2024-02687

Опубликовано: 03 мар. 2024
Источник: fstec
CVSS3: 6.5
CVSS2: 6.8
EPSS Низкий

Описание

Уязвимость пакетного менеджера для Kubernetes Helm связана с отсутствием защиты служебных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, оказать влияние на конфиденциальность информации

Вендор

Novell Inc.
The Linux Foundation
Red Hat Inc.

Наименование ПО

SUSE Linux Enterprise High Performance Computing
Suse Linux Enterprise Server
SUSE Linux Enterprise Server for SAP Applications
SUSE Manager Proxy
SUSE Manager Server
SUSE Manager Retail Branch Server
SUSE Enterprise Storage
SUSE Linux Enterprise Module for Package Hub
SUSE Linux Enterprise Module for Containers
Helm
Red Hat Advanced Cluster Security

Версия ПО

15 SP3 (SUSE Linux Enterprise High Performance Computing)
15 SP3 (Suse Linux Enterprise Server)
15 SP3 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Proxy)
4.2 (SUSE Manager Server)
15 SP4 (Suse Linux Enterprise Server)
15 SP4 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Retail Branch Server)
4.3 (SUSE Manager Retail Branch Server)
4.3 (SUSE Manager Proxy)
4.3 (SUSE Manager Server)
15 SP4 (SUSE Linux Enterprise High Performance Computing)
7.1 (SUSE Enterprise Storage)
15 SP3-LTSS (Suse Linux Enterprise Server)
15 SP3-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP3-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP3-BCL (Suse Linux Enterprise Server)
15 SP4 (SUSE Linux Enterprise Module for Package Hub)
15 SP3 (SUSE Linux Enterprise Module for Package Hub)
15 SP5 (SUSE Linux Enterprise Server for SAP Applications)
15 SP5 (Suse Linux Enterprise Server)
15 SP4 (SUSE Linux Enterprise Module for Containers)
15 SP5 (SUSE Linux Enterprise High Performance Computing)
15 SP5 (SUSE Linux Enterprise Module for Package Hub)
15 SP4-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP4-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP4-LTSS (Suse Linux Enterprise Server)
до 3.13.3 (Helm)
15 SP5 (SUSE Linux Enterprise Module for Containers)
15 SP3 (SUSE Linux Enterprise Module for Containers)
4.3 (Red Hat Advanced Cluster Security)
4.4 (Red Hat Advanced Cluster Security)

Тип ПО

Прикладное ПО информационных систем
Операционная система
Сетевое средство

Операционные системы и аппаратные платформы

Novell Inc. Suse Linux Enterprise Server 15 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3
Novell Inc. Suse Linux Enterprise Server 15 SP4
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4
Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS
Novell Inc. Suse Linux Enterprise Server 15 SP3-BCL
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5
Novell Inc. Suse Linux Enterprise Server 15 SP5
Novell Inc. Suse Linux Enterprise Server 15 SP4-LTSS

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 6,8)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 6,5)

Возможные меры по устранению уязвимости

Компенсирующие меры:
- не использовать флаг --dry-run с helm installи helm upgrade.
Использование рекомендаций:
Для Helm:
https://github.com/helm/helm/issues/7275
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2019-25210.html
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2019-25210

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 45%
0.00223
Низкий

6.5 Medium

CVSS3

6.8 Medium

CVSS2

Связанные уязвимости

redhat логотип

CVE-2019-25210

CVSS3: 6.5
redhat
почти 2 года назад

An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 3.13.3. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values). Also, it is not the Helm Project's responsibility if a user decides to use --dry-run within a CI/CD environment whose output is visible to unauthorized persons.

nvd логотип

CVE-2019-25210

CVSS3: 6.5
nvd
почти 2 года назад

An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 3.13.3. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values). Also, it is not the Helm Project's responsibility if a user decides to use --dry-run within a CI/CD environment whose output is visible to unauthorized persons.

debian логотип

CVE-2019-25210

CVSS3: 6.5
debian
почти 2 года назад

An issue was discovered in Cloud Native Computing Foundation (CNCF) He ...

github логотип

GHSA-jw44-4f3j-q396

CVSS3: 6.5
github
почти 2 года назад

Withdrawn Advisory: Helm shows secrets in clear text

EPSS

Процентиль: 45%
0.00223
Низкий

6.5 Medium

CVSS3

6.8 Medium

CVSS2