Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided

Release Date

2022/01/10

Overview

Custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user's shell. Arguments can be provided which cause arbitrary shell commands to run on the system.

Affected Products

Lens v5.3.3 and earlier.

Unaffected Products

Lens v5.3.4 and later

Vulnerability Information

CVE Identifier

CVE-2021-23154

CVSSv3.1

6.3 (Medium) CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

CWEs

CWE-94

Mitigations

A targeted user would have to enter the configuration provided by an attacker.

Work arounds

None

Acknowledgements

Reported by Eren Karahasan (locomoco.dev@gmail.com)

Disclosure Timeline

2021/12/17: Fix merged to github.com/lensapp/lens

2021/12/03: reported to Mirantis PSIRT by Eren Karahasan

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

0003.md

0003.md

Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided

Release Date

Overview

Affected Products

Unaffected Products

Vulnerability Information

CVE Identifier

CVSSv3.1

CWEs

Mitigations

Work arounds

Acknowledgements

Disclosure Timeline

Files

0003.md

Latest commit

History

0003.md

File metadata and controls

Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided

Release Date

Overview

Affected Products

Unaffected Products

Vulnerability Information

CVE Identifier

CVSSv3.1

CWEs

Mitigations

Work arounds

Acknowledgements

Disclosure Timeline