Duplicate plugin entries in Helm
CVE-2020-15187

3LOW

Key Information:

Vendor

Helm

Status
Helm
Vendor
CVE Published:
17 September 2020

What is CVE-2020-15187?

In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL.

Affected Version(s)

helm >= 2.0.0, < 2.16.11 < 2.0.0, 2.16.11

helm >= 3.0.0, < 3.3.2 < 3.0.0, 3.3.2

References

https://github.com/helm/helm/security/advisories/GHSA-c52...
x_refsource_CONFIRM
https://github.com/helm/helm/commit/6aab63765f99050b115f0...
x_refsource_MISC
https://github.com/helm/helm/commit/ac7c07c37d87e09797f71...
x_refsource_MISC

CVSS V3.1

Score:
3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.