Alpine: multiple helm packages: security update to 3.18.4-r0

high Tenable Self-Hosted Container Security Plugin ID 428359

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file
along with a specially linked Chart.lock file can lead to local code execution when dependencies are
updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are
updated and this file is written, can be crafted in a way that can cause execution if that same content
were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is
symlinked to one of these files updating dependencies will write the lock file content to the symlinked
file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due
to symlinking. This issue has been resolved in Helm v3.18.4. (CVE-2025-53547)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-53547

Plugin Details

Severity: High

ID: 428359

Version: Revision 1.6

Type: Local

Published: 7/11/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7

Percentile: 98.33

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-53547

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/8/2025

Reference Information

CVE: CVE-2025-53547