Skip to main content

Helm CVE-2019-18658

CRITICAL
Improper Link Resolution Before File Access (CWE-59)
2019-11-12 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 12, 2019 - 14:15 nvd
CRITICAL 9.8

DescriptionNVD

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue.

AnalysisAI

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-59. In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue. Affected products include: Helm. Version information: before 2.15.2.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Helm

View all
CVE-2019-1000008 MEDIUM POC
6.5 Feb 04

All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restric

CVE-2019-1010275 CRITICAL
9.8 Jul 17

helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. Rated critical severity (CVSS 9.8), this vul

CVE-2020-11013 MEDIUM POC
5.0 Apr 24

Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. Rated medium sever

CVE-2021-32690 HIGH
8.6 Jun 16

Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). Rated high severity (CVSS 8.6), th

CVE-2025-53547 HIGH
8.5 Jul 08

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a s

CVE-2026-35205 HIGH
8.4 Apr 09

Helm 4.0.0 through 4.1.3 silently installs Kubernetes plugins without cryptographic provenance verification even when si

CVE-2026-35204 HIGH
8.4 Apr 09

Path traversal in Helm 4.0.0-4.1.3 allows local attackers to write arbitrary files during plugin installation or update

CVE-2023-25165 MEDIUM POC
4.3 Feb 08

Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template funct

CVE-2024-26147 HIGH
7.5 Feb 21

Helm is a package manager for Charts for Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely expl

CVE-2022-23526 HIGH
7.5 Dec 15

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil

CVE-2022-23525 HIGH
7.5 Dec 15

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil

CVE-2022-23524 HIGH
7.5 Dec 15

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil

Share

CVE-2019-18658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy