ALT-PU-2025-9626-3 — portainer

BDU:2025-08556

HIGH7.5

Уязвимость компонента Verify языка программирования Go, позволяющая нарушителю обойти существующие ограничения безопасности

Опубликовано: 2025-07-16Изменено: 2026-04-17

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS 2.0ВЫСОКАЯ 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:N

Ссылки

CVE-2025-22874

BDU:2025-10843

HIGH8.5

Уязвимость пакетного менеджера для Kubernetes Helm, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

Опубликовано: 2025-09-08Изменено: 2025-09-09

CVSS 3.xВЫСОКАЯ 8.5

CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H

CVSS 2.0СРЕДНЯЯ 6.8

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:C/A:C

Ссылки

CVE-2025-53547

CVE-2025-22781

MEDIUM6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nativery Nativery nativery allows DOM-Based XSS.This issue affects Nativery: from n/a through <= 0.1.6.

Опубликовано: 2025-01-15Изменено: 2026-04-23

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Ссылки

https://patchstack.com/database/Wordpress/Plugin/nativery/vulnerability/wordpress-nativery-plugin-plugin-0-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve

CVE-2025-22874

HIGH7.5

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

Опубликовано: 2025-06-11Изменено: 2026-04-15

CVSS 3.xВЫСОКАЯ 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Ссылки

CVE-2025-53547

HIGH8.6

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.

Опубликовано: 2025-07-08Изменено: 2025-09-03

CVSS 3.xВЫСОКАЯ 8.6

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Ссылки

GHSA-557j-xg8c-q2mm

HIGH8.5

Helm vulnerable to Code Injection through malicious chart.yaml content

Опубликовано: 2025-07-09Изменено: 2025-07-17

CVSS 3.xВЫСОКАЯ 8.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H

Ссылки

Обновление пакета portainer в ветке sisyphus

Закрытые проблемы (6)

Уязвимость компонента Verify языка программирования Go, позволяющая нарушителю обойти существующие ограничения безопасности

Уязвимость пакетного менеджера для Kubernetes Helm, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nativery Nativery nativery allows DOM-Based XSS.This issue affects Nativery: from n/a through <= 0.1.6.

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

Helm vulnerable to Code Injection through malicious chart.yaml content