Vulnerability DatabaseCVE-2024-25620
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-25620
February 14, 2024
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies.
Affected Packages
helm.sh/helm/v3 (GO):
Affected version(s) >=v3.0.0-beta.3.0.20191003182705-9bc7934f3502 <v3.14.1
Fix Suggestion:
Update to version v3.14.1
Related Resources (5)
https://nvd.nist.gov/vuln/detail/CVE-2024-25620
https://github.com/helm/helm/releases/tag/v3.14.1
https://github.com/helm/helm/security/advisories/GHSA-v53g-5gjp-272r
https://github.com/helm/helm
https://github.com/helm/helm/commit/0d0f91d1ce277b2c8766cdc4c7aa04dbafbf2503
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Relative Path Traversal
CWE-23
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22
EPSS
Base Score:
0.17