Skip to main content

Helm CVE-2020-4053

MEDIUM
Path Traversal (CWE-22)
2020-06-16 security-advisories@github.com
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 16, 2020 - 22:15 nvd
MEDIUM 6.8

DescriptionNVD

In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.

AnalysisAI

In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4. Affected products include: Helm.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

More in Helm

View all
CVE-2019-1000008 MEDIUM POC
6.5 Feb 04

All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restric

CVE-2019-18658 CRITICAL
9.8 Nov 12

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opport

CVE-2019-1010275 CRITICAL
9.8 Jul 17

helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. Rated critical severity (CVSS 9.8), this vul

CVE-2020-11013 MEDIUM POC
5.0 Apr 24

Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. Rated medium sever

CVE-2021-32690 HIGH
8.6 Jun 16

Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). Rated high severity (CVSS 8.6), th

CVE-2025-53547 HIGH
8.5 Jul 08

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a s

CVE-2026-35205 HIGH
8.4 Apr 09

Helm 4.0.0 through 4.1.3 silently installs Kubernetes plugins without cryptographic provenance verification even when si

CVE-2026-35204 HIGH
8.4 Apr 09

Path traversal in Helm 4.0.0-4.1.3 allows local attackers to write arbitrary files during plugin installation or update

CVE-2023-25165 MEDIUM POC
4.3 Feb 08

Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template funct

CVE-2024-26147 HIGH
7.5 Feb 21

Helm is a package manager for Charts for Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely expl

CVE-2022-23526 HIGH
7.5 Dec 15

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil

CVE-2022-23525 HIGH
7.5 Dec 15

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil

Share

CVE-2020-4053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy