ALT-PU-2025-9626-3 — portainer

BDU:2025-08556

HIGH7.5

Уязвимость компонента Verify языка программирования Go, позволяющая нарушителю обойти существующие ограничения безопасности

Published: 2025-07-16Modified: 2026-04-17

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:N

References

CVE-2025-22874

BDU:2025-10843

HIGH8.5

Уязвимость пакетного менеджера для Kubernetes Helm, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

Published: 2025-09-08Modified: 2025-09-09

CVSS 3.xHIGH 8.5

CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:C/A:C

References

CVE-2025-53547

CVE-2025-22781

MEDIUM6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nativery Nativery nativery allows DOM-Based XSS.This issue affects Nativery: from n/a through <= 0.1.6.

Published: 2025-01-15Modified: 2026-04-23

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

References

https://patchstack.com/database/Wordpress/Plugin/nativery/vulnerability/wordpress-nativery-plugin-plugin-0-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve

CVE-2025-22874

HIGH7.5

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

Published: 2025-06-11Modified: 2026-04-15

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

CVE-2025-53547

HIGH8.6

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.

Published: 2025-07-08Modified: 2025-09-03

CVSS 3.xHIGH 8.6

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

GHSA-557j-xg8c-q2mm

HIGH8.5

Helm vulnerable to Code Injection through malicious chart.yaml content

Published: 2025-07-09Modified: 2025-07-17

CVSS 3.xHIGH 8.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H

References

Package update portainer in branch sisyphus

Closed issues (6)

Уязвимость компонента Verify языка программирования Go, позволяющая нарушителю обойти существующие ограничения безопасности

Уязвимость пакетного менеджера для Kubernetes Helm, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nativery Nativery nativery allows DOM-Based XSS.This issue affects Nativery: from n/a through <= 0.1.6.

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

Helm vulnerable to Code Injection through malicious chart.yaml content