rpm package
opensuse/helm&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/helm&distro=openSUSE%20Tumbleweed
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41888 | Med | 6.5 | < 4.2.0-1.1 | 4.2.0-1.1 | May 14, 2026 | Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even w | |
| CVE-2026-33814 | Hig | 7.5 | < 4.2.0-2.1 | 4.2.0-2.1 | May 7, 2026 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | |
| CVE-2026-35206 | Med | 4.4 | < 4.1.4-2.1 | 4.1.4-2.1 | Apr 9, 2026 | Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working di | |
| CVE-2026-35205 | Hig | 7.8 | < 4.1.4-2.1 | 4.1.4-2.1 | Apr 9, 2026 | Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4. | |
| CVE-2026-35204 | Hig | 8.6 | < 4.1.4-1.1 | 4.1.4-1.1 | Apr 9, 2026 | Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Hel | |
| CVE-2025-58190 | — | < 3.19.1-1.1 | 3.19.1-1.1 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-47911 | — | < 3.19.1-1.1 | 3.19.1-1.1 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-55199 | — | < 4.1.1-3.1 | 4.1.1-3.1 | Aug 13, 2025 | Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A work | ||
| CVE-2025-53547 | — | < 3.18.4-1.1 | 3.18.4-1.1 | Jul 8, 2025 | Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo | ||
| CVE-2025-22872 | Med | 6.5 | < 3.18.3-1.1 | 3.18.3-1.1 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2025-22870 | Med | 4.4 | < 3.17.2-1.1 | 3.17.2-1.1 | Mar 12, 2025 | Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. | |
| CVE-2024-45338 | Med | 5.3 | < 3.17.0-2.1 | 3.17.0-2.1 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-45337 | Cri | 9.1 | < 3.16.4-1.1 | 3.16.4-1.1 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that | |
| CVE-2024-26147 | — | < 3.14.2-1.1 | 3.14.2-1.1 | Feb 21, 2024 | Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all m | ||
| CVE-2024-25620 | — | < 3.14.2-2.1 | 3.14.2-2.1 | Feb 14, 2024 | Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected direct | ||
| CVE-2023-25173 | — | < 3.13.0-2.1 | 3.13.0-2.1 | Feb 16, 2023 | containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group acces | ||
| CVE-2023-25165 | — | < 3.11.1-1.1 | 3.11.1-1.1 | Feb 8, 2023 | Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a D | ||
| CVE-2022-23526 | — | < 3.10.3-2.1 | 3.10.3-2.1 | Dec 15, 2022 | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validati | ||
| CVE-2022-23525 | — | < 3.10.3-2.1 | 3.10.3-2.1 | Dec 15, 2022 | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds r | ||
| CVE-2022-23524 | — | < 3.10.3-2.1 | 3.10.3-2.1 | Dec 15, 2022 | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cann |
- affected < 4.2.0-1.1fixed 4.2.0-1.1
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even w
- affected < 4.2.0-2.1fixed 4.2.0-2.1
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
- affected < 4.1.4-2.1fixed 4.1.4-2.1
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working di
- affected < 4.1.4-2.1fixed 4.1.4-2.1
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
- affected < 4.1.4-1.1fixed 4.1.4-1.1
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Hel
- CVE-2025-58190Feb 5, 2026affected < 3.19.1-1.1fixed 3.19.1-1.1
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-47911Feb 5, 2026affected < 3.19.1-1.1fixed 3.19.1-1.1
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-55199Aug 13, 2025affected < 4.1.1-3.1fixed 4.1.1-3.1
Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A work
- CVE-2025-53547Jul 8, 2025affected < 3.18.4-1.1fixed 3.18.4-1.1
Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo
- affected < 3.18.3-1.1fixed 3.18.3-1.1
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- affected < 3.17.2-1.1fixed 3.17.2-1.1
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
- affected < 3.17.0-2.1fixed 3.17.0-2.1
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 3.16.4-1.1fixed 3.16.4-1.1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
- CVE-2024-26147Feb 21, 2024affected < 3.14.2-1.1fixed 3.14.2-1.1
Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all m
- CVE-2024-25620Feb 14, 2024affected < 3.14.2-2.1fixed 3.14.2-2.1
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected direct
- CVE-2023-25173Feb 16, 2023affected < 3.13.0-2.1fixed 3.13.0-2.1
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group acces
- CVE-2023-25165Feb 8, 2023affected < 3.11.1-1.1fixed 3.11.1-1.1
Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a D
- CVE-2022-23526Dec 15, 2022affected < 3.10.3-2.1fixed 3.10.3-2.1
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validati
- CVE-2022-23525Dec 15, 2022affected < 3.10.3-2.1fixed 3.10.3-2.1
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds r
- CVE-2022-23524Dec 15, 2022affected < 3.10.3-2.1fixed 3.10.3-2.1
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cann
Page 1 of 2