CVE-2019-1010275 - OpenCVE

helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Helm	Helm

Configuration 1 [-]

cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/helm/helm/pull/3152
https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50
https://github.com/helm/helm/releases/tag/v2.7.2

History

No history.

MITRE

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-17T20:14:50

Updated: 2024-08-05T03:07:18.493Z

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010275

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-17T21:15:10.953

Modified: 2019-10-09T23:44:18.603

Link: CVE-2019-1010275

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "helm", "vendor": "helm", "versions": [{"status": "affected", "version": "Before 2.7.2 [fixed: 2.7.2]"}]}], "descriptions": [{"lang": "en", "value": "helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-17T20:14:50", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/helm/helm/releases/tag/v2.7.2"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/helm/helm/pull/3152"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010275", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "helm", "version": {"version_data": [{"version_value": "Before 2.7.2 [fixed: 2.7.2]"}]}}]}, "vendor_name": "helm"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295: Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/helm/helm/releases/tag/v2.7.2", "refsource": "MISC", "url": "https://github.com/helm/helm/releases/tag/v2.7.2"}, {"name": "https://github.com/helm/helm/pull/3152", "refsource": "MISC", "url": "https://github.com/helm/helm/pull/3152"}, {"name": "https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50", "refsource": "MISC", "url": "https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.493Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/helm/helm/releases/tag/v2.7.2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/helm/helm/pull/3152"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010275", "datePublished": "2019-07-17T20:14:50", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-08-05T03:07:18.493Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD7D397E-0D6D-474F-854B-4989F47C5E86", "versionEndExcluding": "2.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2."}, {"lang": "es", "value": "helm anterior a versi\u00f3n 2.7.2, est\u00e1 afectado por: CWE-295: Comprobaci\u00f3n de Certificado Inapropiado. El impacto es: Los clientes no autorizados podr\u00edan conectarse al servidor porque alegaron certificados de cliente autofirmados. El componente es: helm (muchos archivos actualizados, vea https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). El vector de ataque es: Un cliente malicioso podr\u00eda conectarse al servidor por medio de la red. La versi\u00f3n corregida es: 2.7.2."}], "id": "CVE-2019-1010275", "lastModified": "2019-10-09T23:44:18.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-17T21:15:10.953", "references": [{"source": "josh@bress.net", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/helm/helm/pull/3152"}, {"source": "josh@bress.net", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50"}, {"source": "josh@bress.net", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/helm/helm/releases/tag/v2.7.2"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "josh@bress.net", "type": "Secondary"}]}