Miggo Logo

CVE-2019-1010275: Helm Improper Certificate Validation

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.53146%
Published
5/24/2022
Updated
8/1/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
helm.sh/helmgo< 2.7.22.7.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Tiller's TLS configuration accepting self-signed client certificates. The critical change in the fix was modifying the ClientAuth mode from VerifyClientCertIfGiven to RequireAndVerifyClientCert in the tlsOptions function. This function controls TLS handshake behavior, and the original setting didn't enforce CA validation for client certificates, allowing improper validation. The commit diff explicitly shows this security-sensitive configuration change, directly addressing CWE-295.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**lm ***or* *.*.* is *****t** *y: *W*-***: Improp*r **rti*i**t* V*li**tion. T** imp**t is: Un*ut*oriz** *li*nts *oul* *onn**t to t** s*rv*r ****us* s*l*-si*n** *li*nt **rts w*r* *loow**. T** *ompon*nt is: **lm (m*ny *il*s up**t**, s** *ttps://*it*u*.

Reasoning

T** vuln*r**ility st*mm** *rom Till*r's TLS *on*i*ur*tion ****ptin* s*l*-si*n** *li*nt **rti*i**t*s. T** *riti**l ***n** in t** *ix w*s mo*i*yin* t** `*li*nt*ut*` mo** *rom `V*ri*y*li*nt**rtI**iv*n` to `R*quir**n*V*ri*y*li*nt**rt` in t** `tlsOptions`