CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
EPSS
Percentile
24.2%
Severity: Low
Date : 2021-02-07
CVE-ID : CVE-2021-21303
Package : helm
Type : insufficient validation
Remote : No
Link : https://security.archlinux.org/AVG-1539
The package helm before version 3.5.2-1 is vulnerable to insufficient
validation.
Upgrade to 3.5.2-1.
The problem has been fixed upstream in version 3.5.2.
None.
In Helm from version 3.0 and before version 3.5.2, there are a few
cases where data loaded from potentially untrusted sources was not
properly sanitized. When a SemVer in the version
field of a chart is
invalid, in some cases Helm allows the string to be used โas isโ
without sanitizing. Helm fails to properly sanitize some fields present
in Helm repository index.yaml
files. Helm does not properly sanitize
some fields in the plugin.yaml
file for plugins. In some cases, Helm
does not properly sanitize the fields in the Chart.yaml
file. By
exploiting these attack vectors, core maintainers were able to send
deceptive information to a terminal screen running the helm
command,
as well as obscure or alter information on the screen. In some cases,
attackers could send codes that terminals used to execute higher-order
logic, like clearing a terminal screen. Further, during evaluation, the
Helm maintainers discovered a few other fields that were not properly
sanitized when read out of repository index files. This fix remedies
all such cases, and once again enforces SemVer2 policies on version
fields. All users of Helm 3 should upgrade to the fixed version 3.5.2
or later. Those who use Helm as a library should verify that they
either sanitize this data on their own, or use the proper Helm API
calls to sanitize the data.
An attacker might be able to spoof the contents of the terminal when
the user runs the โhelmโ command on a crafted Helm chart that includes
unsanitized terminal input codes.
https://github.com/helm/helm/security/advisories/GHSA-c38g-469g-cmgx
https://github.com/helm/helm/commit/2bf5c280d56e0043bf1870f84d63e82d5c5d4230
https://security.archlinux.org/CVE-2021-21303
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
EPSS
Percentile
24.2%