SB2020091749 - Multiple vulnerabilities in Helm
Published: September 17, 2020 Updated: April 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2020-15186)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to improper input validation when handling plugin names. A remote attacker can trick the victim into using a specially crafted plugin to spoof output of the helm --help command.
2) Input validation error (CVE-ID: CVE-2020-15184)
The vulnerability allows a remote attacker to inject unwanted information into a chart.
The vulnerability exists due to improper input validation in the alias field in Chart.yaml when processing chart dependencies. A remote attacker can supply a specially crafted chart to inject unwanted information into a chart.
3) Insufficient verification of data authenticity (CVE-ID: CVE-2020-15185)
The vulnerability allows a remote user to inject a malicious chart entry into a repository.
The vulnerability exists due to improper integrity control in the repository index file when processing duplicate c hart entries. A remote user can modify the index file so that a malicious duplicate chart entry is used to inject a malicious chart entry into a repository.
Exploitation requires write access to the index file and may occur during a machine-in-the-middle attack on a non-SSL connection.
4) Interpretation conflict (CVE-ID: CVE-2020-15187)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper handling of duplicate entries in plugin.yaml in Helm plugin installation hooks when processing a compromised plugin archive or repository content. A remote user can introduce duplicate plugin entries so that the last entry is used to execute arbitrary code.
Exploitation requires write access to the plugin git repository or the plug in archive while it is being downloaded.
Remediation
Install update from vendor's website.
References
- https://github.com/helm/helm/commit/809e2d999e2c33e20e77f6bff30652d79c287542
- https://github.com/helm/helm/security/advisories/GHSA-m54r-vrmv-hw33
- https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850
- https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776
- https://github.com/helm/helm/commit/055dd41cbe53ce131ab0357524a7f6729e6e40dc
- https://github.com/helm/helm/security/advisories/GHSA-jm56-5h66-w453
- https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b
- https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j