Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-15186

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

Published

2020-09-17T22:15:12.520

Last Modified

2024-11-21T05:05:01.987

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.4 (LOW)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-20
Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	helm	helm	< 2.16.11	Yes
Application	helm	helm	< 3.3.2	Yes

References

https://github.com/helm/helm/commit/809e2d999e2c33e20e77f6bff30652d79c287542 Patch, Third Party Advisory ([email protected])
https://github.com/helm/helm/security/advisories/GHSA-m54r-vrmv-hw33 Third Party Advisory ([email protected])
https://github.com/helm/helm/commit/809e2d999e2c33e20e77f6bff30652d79c287542 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/helm/helm/security/advisories/GHSA-m54r-vrmv-hw33 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)