Critical severityNVD Advisory· Published Nov 12, 2019· Updated Aug 5, 2024
CVE-2019-18658
CVE-2019-18658
Description
In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
helm.sh/helmGo | >= 2.0.0, < 2.15.2 | 2.15.2 |
Affected products
7- Helm/Helmdescription
- ghsa-coords6 versionspkg:golang/helm.sh/helmpkg:rpm/opensuse/helm-mirror&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/helm-mirror&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/helm-mirror&distro=openSUSE%20Tumbleweedpkg:rpm/suse/helm-mirror&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/helm-mirror&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4
>= 2.0.0, < 2.15.2+ 5 more
- (no CPE)range: >= 2.0.0, < 2.15.2
- (no CPE)range: < 0.3.1-150000.1.13.1
- (no CPE)range: < 0.3.1-150000.1.13.1
- (no CPE)range: < 0.3.1-1.9
- (no CPE)range: < 0.3.1-150000.1.13.1
- (no CPE)range: < 0.3.1-150000.1.13.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-p5pc-m4q7-7qm9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-18658ghsaADVISORY
- helm.sh/blog/2019-10-30-helm-symlink-security-noticeghsaWEB
- helm.sh/blog/2019-10-30-helm-symlink-security-notice/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.