In Lens prior to 5.3.4, custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user\'s shell. Arguments can be provided which cause arbitrary shell commands to run on the system.
Metrics
CVSS Version: 3.1 |
Base Score: 6.3 MEDIUM Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
l➤ Exploitability Metrics: Attack Vector (AV)* LOCAL Attack Complexity (AC)* HIGH Privileges Required (PR)* HIGH User Interaction (UI)* REQUIRED Scope (S)* UNCHANGED
l➤ Impact Metrics: Confidentiality Impact (C)* HIGH Integrity Impact (I)* HIGH Availability Impact (A)* HIGH
Weakness Enumeration (CWE)
CWE-ID: CWE-94 CWE Name: CWE-94 Improper Control of Generation of Code (
Code Injection
) Source: Mirantis
Common Attack Pattern Enumeration and Classification (CAPEC)