Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14NnI1LXZ4ZmctZ3Ezds4AAhU1

Helm Improper Certificate Validation

helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2.

Permalink: https://github.com/advisories/GHSA-x6r5-vxfg-gq3v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14NnI1LXZ4ZmctZ3Ezds4AAhU1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 9 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-x6r5-vxfg-gq3v, CVE-2019-1010275
References:

Repository: https://github.com/helm/helm
Blast Radius: 16.5

Affected Packages

go:helm.sh/helm

Dependent packages: 46
Dependent repositories: 48
Downloads:
Affected Version Ranges: < 2.7.2
Fixed in: 2.7.2
All affected versions: 1.2.1, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1
All unaffected versions: 2.7.2, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.15.2, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.16.9, 2.16.10, 2.16.11, 2.16.12, 2.17.0