CVE-2020-15185

17.09.2020, 22:15

In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	2.2 LOW	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 46%

Affected Products (NVD)

Vendor	Product	Version
helm	helm	2.0.0 ≤ 𝑥 < 2.16.11
helm	helm	3.0.0 ≤ 𝑥 < 3.3.2

𝑥

= Vulnerable software versions

openSUSE / SLES Releases

openSUSE Product

Release

kubernetes-client

suse enterprise sap 15 SP1	1.17.13-4.21.2 fixed
suse enterprise server 15 SP1	1.17.13-4.21.2 fixed

kubernetes-common

suse enterprise sap 15 SP1	1.17.13-4.21.2 fixed
suse enterprise server 15 SP1	1.17.13-4.21.2 fixed

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://github.com/helm/helm/commit/055dd41cbe53ce131ab0357524a7f6729e6e40dc

https://github.com/helm/helm/security/advisories/GHSA-jm56-5h66-w453

https://github.com/helm/helm/commit/055dd41cbe53ce131ab0357524a7f6729e6e40dc

https://github.com/helm/helm/security/advisories/GHSA-jm56-5h66-w453