SUSE update for Recommended update for helm
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-25620 CVE-2024-26147 |
| CWE-ID | CWE-22 CWE-457 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
openSUSE Leap Micro Operating systems & Components / Operating system SUSE Package Hub 15 Operating systems & Components / Operating system Containers Module Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system SUSE Linux Enterprise Micro Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system helm-fish-completion Operating systems & Components / Operating system package or component helm-bash-completion Operating systems & Components / Operating system package or component helm-zsh-completion Operating systems & Components / Operating system package or component helm Operating systems & Components / Operating system package or component helm-debuginfo Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU86548
Risk: Medium
CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-25620
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to overwrite arbitrary files on the system.
The vulnerability exists due to input validation error when processing directory traversal sequences when saving charts at Chart.yaml. A remote user can send a specially crafted HTTP request and overwrite arbitrary files on the system.
Update the affected package Recommended update for helm to the latest version.
Vulnerable software versionsopenSUSE Leap Micro: 5.5
SUSE Package Hub 15: 15-SP5 - 15-SP6
Containers Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP5 - SP6
SUSE Linux Enterprise Server 15: SP5 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Micro: 5.5
SUSE Linux Enterprise High Performance Computing 15: SP5
helm-fish-completion: before 3.16.3-150000.1.38.1
helm-bash-completion: before 3.16.3-150000.1.38.1
helm-zsh-completion: before 3.16.3-150000.1.38.1
helm: before 3.16.3-150000.1.38.1
helm-debuginfo: before 3.16.3-150000.1.38.1
CPE2.3- cpe:2.3:o:suse:opensuse_leap_micro:5.5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:containers_module:15-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:containers_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_micro:5.5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:helm-fish-completion:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:helm-bash-completion:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:helm-zsh-completion:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:helm:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:helm-debuginfo:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-ru-20244213-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use of uninitialized variable
EUVDB-ID: #VU88098
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-26147
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to usage of an uninitialized variable when using the LoadIndexFile or DownloadIndexFile functions in the repo
package or the LoadDir function in the plugin package. If index.yaml file or a plugins plugin.yaml file are missing in the repository, the application crashes.
Update the affected package Recommended update for helm to the latest version.
Vulnerable software versionsopenSUSE Leap Micro: 5.5
SUSE Package Hub 15: 15-SP5 - 15-SP6
Containers Module: 15-SP5 - 15-SP6
SUSE Linux Enterprise Real Time 15: SP5 - SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP5 - SP6
SUSE Linux Enterprise Server 15: SP5 - SP6
SUSE Linux Enterprise Desktop 15: SP5 - SP6
SUSE Linux Enterprise Micro: 5.5
SUSE Linux Enterprise High Performance Computing 15: SP5
helm-fish-completion: before 3.16.3-150000.1.38.1
helm-bash-completion: before 3.16.3-150000.1.38.1
helm-zsh-completion: before 3.16.3-150000.1.38.1
helm: before 3.16.3-150000.1.38.1
helm-debuginfo: before 3.16.3-150000.1.38.1
CPE2.3- cpe:2.3:o:suse:opensuse_leap_micro:5.5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:containers_module:15-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:containers_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_micro:5.5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:helm-fish-completion:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:helm-bash-completion:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:helm-zsh-completion:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:helm:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:helm-debuginfo:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-ru-20244213-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
