CVE-2019-1000008

Vulnerability

All versions of Helm between Helm >=2.0.0 and < 2.12.2 contain a CWE-22 path traversal vulnerability ([1], [3]). The commands helm fetch --untar and helm lint some.tgz unsafely unpack chart archive files without properly sanitizing file names that contain references to parent directories ([3]). This allows a specially crafted chart archive to write files outside the intended target directory ([1]).

Exploitation

The attacker must craft a malicious Helm chart archive with file names containing path traversal sequences (e.g., ../) ([3]). A victim must run either helm fetch --untar on the crafted archive or helm lint some.tgz (which unpacks the archive into a temporary directory) ([1], [3]). No other authentication or network position is required beyond delivering the archive to the victim ([3]).

Impact

A successful exploit allows an attacker to write files to arbitrary locations on the victim's filesystem, potentially overwriting existing files ([1], [3]). This is a client-only vulnerability; no Tiller (server-side) component is affected and Kubernetes clusters are not directly compromised ([3]). The impact is limited to the user's local filesystem integrity and potential for further local privilege escalation if sensitive files are overwritten.

Mitigation

Update to Helm >= 2.12.2, which disallows paths that could store files outside the present working directory ([1], [3]). As a workaround, unpack charts with the appropriate tar command instead of using --untar on helm fetch, and do not run helm lint on .tgz files directly; run it on the already-unpacked directory ([3]).