Command injection in Lens causes arbitrary shell command execution when malicious custom helm chart configuration provided
Release Date
2022/01/10
Overview
Custom helm chart configuration creates helm commands from string concatenation of provided arguments which are then executed in the user's shell. Arguments can be provided which cause arbitrary shell commands to run on the system.
Affected Products
Lens v5.3.3 and earlier.
Unaffected Products
Lens v5.3.4 and later
Vulnerability Information
CVE Identifier
CVE-2021-23154
CVSSv3.1
6.3 (Medium) CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWEs
CWE-94
Mitigations
A targeted user would have to enter the configuration provided by an attacker.
Work arounds
None
Acknowledgements
Reported by Eren Karahasan (locomoco.dev@gmail.com)
Disclosure Timeline
2021/12/17: Fix merged to github.com/lensapp/lens
2021/12/03: reported to Mirantis PSIRT by Eren Karahasan