DescriptionIn Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue.
Overall state of this security issue: Running
This issue is currently rated as having moderate severity.
|National Vulnerability Database|
|National Vulnerability Database||SUSE|
- SUSE-CU-2020:10-1, published Tue Jan 14 00:04:45 MST 2020
- SUSE-CU-2020:11-1, published Tue Jan 14 00:06:18 MST 2020
- SUSE-CU-2020:12-1, published Tue Jan 14 00:07:21 MST 2020
- SUSE-CU-2020:13-1, published Tue Jan 14 00:09:17 MST 2020
- SUSE-CU-2020:14-1, published Tue Jan 14 00:44:36 MST 2020
List of released packages
|Product(s)||Fixed package version(s)||References|
|openSUSE Tumbleweed|| ||Patchnames: |
openSUSE Tumbleweed GA helm-mirror-0.3.1-1.9
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.
|SUSE CaaS Platform 3.0||helm||Affected|
|SUSE CaaS Platform 4.0||helm||Released|
|SUSE CaaS Platform 4.0||release-notes-caasp||In progress|