csaf_redhat - rhsa-2025:16535

rhsa-2025:16535

Vulnerability from csaf_redhat

Published

2025-09-23 21:08

Modified

2025-10-10 14:57

Summary

Red Hat Security Advisory: OpenShift Container Platform 4.19 ztp-site-generate container

Notes

Topic

An update for ztp-site-generate is available for Red Hat OpenShift Container Platform 4.19.

Details

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the ztp-site-generate image for Red Hat OpenShift Container Platform 4.19. All OpenShift Container Platform users are advised to upgrade to these updated packages and images.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for ztp-site-generate is available for Red Hat OpenShift Container Platform 4.19.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\nThis advisory contains the ztp-site-generate image for Red Hat OpenShift Container Platform 4.19.\nAll OpenShift Container Platform users are advised to upgrade to these updated packages and images.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:16535",
        "url": "https://access.redhat.com/errata/RHSA-2025:16535"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-53547",
        "url": "https://access.redhat.com/security/cve/CVE-2025-53547"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_16535.json"
      }
    ],
    "title": "Red Hat Security Advisory: OpenShift Container Platform 4.19 ztp-site-generate container",
    "tracking": {
      "current_release_date": "2025-10-10T14:57:24+00:00",
      "generator": {
        "date": "2025-10-10T14:57:24+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.9"
        }
      },
      "id": "RHSA-2025:16535",
      "initial_release_date": "2025-09-23T21:08:55+00:00",
      "revision_history": [
        {
          "date": "2025-09-23T21:08:55+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-09-23T21:09:02+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-10-10T14:57:24+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Container Platform 4.19",
                "product": {
                  "name": "Red Hat OpenShift Container Platform 4.19",
                  "product_id": "Red Hat OpenShift Container Platform 4.19",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:4.19::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Container Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift4/ztp-site-generate-rhel8@sha256:a26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a_amd64",
                "product": {
                  "name": "registry.redhat.io/openshift4/ztp-site-generate-rhel8@sha256:a26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a_amd64",
                  "product_id": "registry.redhat.io/openshift4/ztp-site-generate-rhel8@sha256:a26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/ztp-site-generate-rhel8@sha256%3Aa26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a?arch=amd64\u0026repository_url=registry.redhat.io/openshift4"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift4/ztp-site-generate-rhel8@sha256:a26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a_amd64 as a component of Red Hat OpenShift Container Platform 4.19",
          "product_id": "Red Hat OpenShift Container Platform 4.19:registry.redhat.io/openshift4/ztp-site-generate-rhel8@sha256:a26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a_amd64"
        },
        "product_reference": "registry.redhat.io/openshift4/ztp-site-generate-rhel8@sha256:a26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a_amd64",
        "relates_to_product_reference": "Red Hat OpenShift Container Platform 4.19"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-53547",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "discovery_date": "2025-07-08T22:01:16.594090+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2378905"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A command injection vulnerability has been identified in Helm, a package manager for Kubernetes. An attacker can craft a malicious Chart.yaml file with specially linked dependencies in a Chart.lock file. If the Chart.lock file is a symbolic link to an executable file, such as a shell script, and a user attempts to update the dependencies, the crafted content is written to the symlinked file and executed. This can lead to local code execution on the system. This issue has been patched in Helm version 3.18.4, and users should update to this version to mitigate the risk.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "helm.sh/helm/v3: Helm Chart Code Execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Although GitOps ships Helm, this product is not vulnerable to this vulnerability as ArgoCD doesn\u0027t use helm dependency update. Additionally ArgoCD scans the whole repository searching for symbolic links that eventually points to a out of bounds destination, this later feature ensures ArgoCD is not vulnerable for this issue. Given this information ArgoCD won\u0027t be updated to pull a new version of Helm in other versions than the currently latest upstream one.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Container Platform 4.19:registry.redhat.io/openshift4/ztp-site-generate-rhel8@sha256:a26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-53547"
        },
        {
          "category": "external",
          "summary": "RHBZ#2378905",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2378905"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-53547",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-53547"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-53547",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53547"
        },
        {
          "category": "external",
          "summary": "https://github.com/helm/helm/commit/4b8e61093d8f579f1165cdc6bd4b43fa5455f571",
          "url": "https://github.com/helm/helm/commit/4b8e61093d8f579f1165cdc6bd4b43fa5455f571"
        },
        {
          "category": "external",
          "summary": "https://github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm",
          "url": "https://github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm"
        }
      ],
      "release_date": "2025-07-08T21:39:59.075000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-09-23T21:08:55+00:00",
          "details": "For OpenShift Container Platform 4.19, see the following documentation for important instructions about upgrading your cluster and applying this asynchronous errata update:\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/release_notes/index\nInformation about accessing this content is available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html-single/updating_clusters/index#updating-cluster-cli",
          "product_ids": [
            "Red Hat OpenShift Container Platform 4.19:registry.redhat.io/openshift4/ztp-site-generate-rhel8@sha256:a26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:16535"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat OpenShift Container Platform 4.19:registry.redhat.io/openshift4/ztp-site-generate-rhel8@sha256:a26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Container Platform 4.19:registry.redhat.io/openshift4/ztp-site-generate-rhel8@sha256:a26870f0981a8f939a0ec7e2cbf794f3f4b7121802474a79570bdb44e61e2a2a_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "helm.sh/helm/v3: Helm Chart Code Execution"
    }
  ]
}

CVE-2025-53547 (GCVE-0-2025-53547)

Vulnerability from cvelistv5

Published

2025-07-08 21:39

Modified

2025-07-09 17:05

Severity ?

8.5 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.

References

▼	URL	Tags
	https://github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm	x_refsource_CONFIRM
	https://github.com/helm/helm/commit/4b8e61093d8f579f1165cdc6bd4b43fa5455f571	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	helm	helm	Version: < 3.18.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53547",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:26:40.496995Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T13:26:56.673Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-07-09T17:05:52.255Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://news.ycombinator.com/item?id=44506696"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "helm",
          "vendor": "helm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.18.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T21:39:59.075Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm"
        },
        {
          "name": "https://github.com/helm/helm/commit/4b8e61093d8f579f1165cdc6bd4b43fa5455f571",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/helm/helm/commit/4b8e61093d8f579f1165cdc6bd4b43fa5455f571"
        }
      ],
      "source": {
        "advisory": "GHSA-557j-xg8c-q2mm",
        "discovery": "UNKNOWN"
      },
      "title": "Helm Chart Dependency Updating With Malicious Chart.yaml Content And Symlink Can Lead To Code Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53547",
    "datePublished": "2025-07-08T21:39:59.075Z",
    "dateReserved": "2025-07-02T15:15:11.516Z",
    "dateUpdated": "2025-07-09T17:05:52.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted