Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-15184

Опубликовано: 18 сент. 2020
Источник: redhat
CVSS3: 2.7
EPSS Низкий

Описание

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Advanced Cluster Management for Kubernetes 2helmAffected
Red Hat OpenStack Platform 16.2osp-director-provisioner-containerNot affected
Red Hat OpenStack Platform 16.2rhosp-rhel8-tech-preview/osp-director-downloaderNot affected
Red Hat OpenStack Platform 16.2rhosp-rhel8-tech-preview/osp-director-operatorNot affected
Red Hat Advanced Cluster Management for Kubernetes 2acmesolver-containerFixedRHEA-2021:072904.03.2021
Red Hat Advanced Cluster Management for Kubernetes 2acm-must-gather-containerFixedRHEA-2021:072904.03.2021
Red Hat Advanced Cluster Management for Kubernetes 2acm-operator-bundle-containerFixedRHEA-2021:072904.03.2021
Red Hat Advanced Cluster Management for Kubernetes 2application-ui-containerFixedRHEA-2021:072904.03.2021
Red Hat Advanced Cluster Management for Kubernetes 2cainjector-containerFixedRHEA-2021:072904.03.2021
Red Hat Advanced Cluster Management for Kubernetes 2cert-manager-controller-containerFixedRHEA-2021:072904.03.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1882357helm: Chart.yaml is not properly sanitized lead to injection of unwanted information into chart

EPSS

Процентиль: 46%
0.00234
Низкий

2.7 Low

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-15184

CVSS3: 3.7
nvd
больше 5 лет назад

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.

debian логотип

CVE-2020-15184

CVSS3: 3.7
debian
больше 5 лет назад

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the ...

github логотип

GHSA-9vp5-m38w-j776

CVSS3: 3.7
github
больше 4 лет назад

Aliases are never checked in helm

suse-cvrf логотип

SUSE-SU-2020:3760-1

suse-cvrf
около 5 лет назад

Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package

EPSS

Процентиль: 46%
0.00234
Низкий

2.7 Low

CVSS3