9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-1010275

GHSA ID

GHSA-x6r5-vxfg-gq3v

EPSS Score

0.53146%

CWE

CWE-295

Published

5/24/2022

Updated

8/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-1010275

CVE-2019-1010275: Helm Improper Certificate Validation

helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2.

(GitHub Advisory)

9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-1010275

GHSA ID

GHSA-x6r5-vxfg-gq3v

EPSS Score

0.53146%

CWE

CWE-295

Published

5/24/2022

Updated

8/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
helm.sh/helm	go	< 2.7.2	2.7.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from Tiller's TLS configuration accepting self-signed client certificates. The critical change in the fix was modifying the ClientAuth mode from VerifyClientCertIfGiven to RequireAndVerifyClientCert in the tlsOptions function. This function controls TLS handshake behavior, and the original setting didn't enforce CA validation for client certificates, allowing improper validation. The commit diff explicitly shows this security-sensitive configuration change, directly addressing CWE-295.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**lm ***or* *.*.* is *****t** *y: *W*-***: Improp*r **rti*i**t* V*li**tion. T** imp**t is: Un*ut*oriz** *li*nts *oul* *onn**t to t** s*rv*r ****us* s*l*-si*n** *li*nt **rts w*r* *loow**. T** *ompon*nt is: **lm (m*ny *il*s up**t**, s** *ttps://*it*u*.

Reasoning

T** vuln*r**ility st*mm** *rom Till*r's TLS *on*i*ur*tion ****ptin* s*l*-si*n** *li*nt **rti*i**t*s. T** *riti**l ***n** in t** *ix w*s mo*i*yin* t** `*li*nt*ut*` mo** *rom `V*ri*y*li*nt**rtI**iv*n` to `R*quir**n*V*ri*y*li*nt**rt` in t** `tlsOptions`

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-1010275: Helm Improper Certificate Validation

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI