CVE-2020-4053 appears in issue #868 NOT_IMPORTABLE
GHSA-qq3j-xp49-j73f appears in issue #868 NOT_IMPORTABLE
See doc/triage.md for instructions on how to triage this report.
modules:
- module: TODO
versions:
- introduced: 3.0.0
fixed: 3.2.4
packages:
- package: helm.sh/helm/v3/pkg/plugin/installer
description: "The Helm core maintainers have identified an information disclosure\nvulnerability
in Helm 3.0.0-3.2.3. \n\n### Impact\n\nA traversal attack is possible when installing
Helm plugins from a tar\narchive over HTTP. It is possible for a malicious plugin
author to inject a relative\npath into a plugin archive, and copy a file outside
of the intended directory.\n\nTraversal Attacks are a form of a Directory Traversal
that can be exploited by\nextracting files from an archive. The premise of the
Directory Traversal\nvulnerability is that an attacker can gain access to parts
of the file system\noutside of the target folder in which they should reside.
The attacker can\nthen overwrite executable files and either invoke them remotely
or wait for\nthe system or user to call them, thus achieving Remote Command Execution
on\nthe victim's machine. The vulnerability can also cause damage by overwriting\nconfiguration
files or other sensitive resources, and can be exploited on both\nclient (user)
machines and servers.\n\nhttps://snyk.io/research/zip-slip-vulnerability\n\n###
Patches\n\nThis issue has been fixed in Helm 3.2.4 \n\n### For more information\nIf
you have any questions or comments about this advisory:\n* Open an issue in [the
Helm repository](https://github.com/helm/helm/issues)\n* For security-specific
issues, email us at [cncf-helm-security@lists.cncf.io](mailto:cncf-helm-security@lists.cncf.io)"
cves:
- CVE-2020-4053
ghsas:
- GHSA-qq3j-xp49-j73f
In GitHub Security Advisory GHSA-qq3j-xp49-j73f, there is a vulnerability in the following Go packages or modules:
Cross references:
See doc/triage.md for instructions on how to triage this report.