CVE-2020-15186

CVSS v2.0

4.0

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Helm versions prior to 2.16.11 Helm versions prior to 3.3.2

Description The issue arises from improper sanitization of plugin names, allowing a malicious plugin author to use characters that could result in unexpected behavior. This could include duplicating the name of another plugin or spoofing the output to helm --help. A malicious plugin author could exploit this by using characters outside of the [a-zA-Z0-9. -] range in the name field of the plugin.yaml file.

Recommendations For Helm versions prior to 2.16.11, update to version 2.16.11 or later. For Helm versions prior to 3.3.2, update to version 3.3.2 or later. As a temporary workaround, do not install untrusted Helm plugins and examine the name field in the plugin.yaml file for characters outside of the [a-zA-Z0-9. -] range.

Fix

RCE

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-74

Related Identifiers

ALT-PU-2020-3396

ALT-PU-2020-3416

ALT-PU-2022-1250

BIT-HELM-2020-15186

CVE-2020-15186

GHSA-M54R-VRMV-HW33

SUSE-SU-2020:3760-1

Affected Products

Alt Linux

Helm

Suse

CVE-2020-15186

Weakness Enumeration

Related Identifiers

Affected Products

References · 26