Duplicate plugin entries in Helm
CVE-2020-15187

4.7MEDIUM

Key Information:

Vendor

Helm

Status
Helm
Vendor
CVE Published:
17 September 2020

What is CVE-2020-15187?

In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

helm >= 2.0.0, < 2.16.11 < 2.0.0, 2.16.11

helm >= 3.0.0, < 3.3.2 < 3.0.0, 3.3.2

References

https://github.com/helm/helm/security/advisories/GHSA-c52...
x_refsource_CONFIRM
https://github.com/helm/helm/commit/6aab63765f99050b115f0...
x_refsource_MISC
https://github.com/helm/helm/commit/ac7c07c37d87e09797f71...
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.