{"id":"BIT-helm-2020-4053","summary":"Path Traversal in Helm Plugin Archive","details":"In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4.","aliases":["CVE-2020-4053","GHSA-qq3j-xp49-j73f"],"modified":"2025-05-20T10:02:07.006Z","published":"2024-03-06T10:54:38.488Z","database_specific":{"cpes":["cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*"],"severity":"Medium"},"references":[{"type":"WEB","url":"https://github.com/helm/helm/commit/0ad800ef43d3b826f31a5ad8dfbb4fe05d143688"},{"type":"WEB","url":"https://github.com/helm/helm/releases/tag/v3.2.4"},{"type":"WEB","url":"https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-4053"}],"affected":[{"package":{"name":"helm","ecosystem":"Bitnami","purl":"pkg:bitnami/helm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.0.0"},{"fixed":"3.2.4"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/helm/BIT-helm-2020-4053.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H"}]}],"schema_version":"1.7.3"}