CVE-2020-15184 — Improper Input Validation in Helm

CWE-20 — Improper Input Validation CWE-74 — Injection CWE-400 — Uncontrolled Resource Consumption6 documents6 sources

Severity

2.7LOWNVD

CNA3.7

EPSS

0.2%

top 53.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Helm.sh Helm Helm.sh Helm V3 Helm

Timeline

PublishedSep 17

Latest updateMay 24

Description

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages4 packages

▶NVDhelm/helm2.0.0 — 2.16.11+1

▶Gohelm.sh/helm< 2.16.11

▶Gohelm.sh/helm_v33.0.0 — 3.3.2

▶CVEListV5helm/helm>= 2.0.0, < 2.16.11, >= 3.0.0, < 3.3.2+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Aliases are never checked in helm↗2021-05-24

▶

OSV

Aliases are never checked in helm↗2021-05-24

▶

CVEList

Aliases are never checked in Helm↗2020-09-17

▶

📋Vendor Advisories

Red Hat

helm: Chart.yaml is not properly sanitized lead to injection of unwanted information into chart↗2020-09-18

▶

💬Community

Bugzilla

CVE-2020-15184 helm: Chart.yaml is not properly sanitized lead to injection of unwanted information into chart↗2020-09-24

▶