CVE-2020-15185

Name of the Vulnerable Software and Affected Versions Helm versions prior to 2.16.11 Helm versions prior to 3.3.2

Description A Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file, which can occur during a MITM attack on a non-SSL connection.

Recommendations For Helm versions prior to 2.16.11, update to version 2.16.11 or later to resolve the issue. For Helm versions prior to 3.3.2, update to version 3.3.2 or later to resolve the issue. As a temporary workaround, consider manually reviewing the index file in the Helm repository cache before installing software. Do not install charts from repositories you do not trust. Fetch charts using a secure channel of communication, such as TLS. Use helm pull to fetch the chart, then review the chart’s content to ensure it has not been tampered with.