Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-15186

Good to know:

icon

Date: September 17, 2020

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to "helm --help". This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the "name" field in the "plugin.yaml" file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

Language: Go

Severity Score

Related Resources (6)

https://nvd.nist.gov/vuln/detail/CVE-2020-15186
https://github.com/helm/helm/security/advisories/GHSA-m54r-vrmv-hw33
https://github.com/helm/helm
https://github.com/helm/helm/commit/809e2d999e2c33e20e77f6bff30652d79c287542
https://github.com/helm/helm/commit/c8d6b01d72c9604e43ee70d0d78fadd54c2d8499
https://www.mend.io/vulnerability-database/CVE-2020-15186

Severity Score

Weakness Type (CWE)

Improper Input Validation

CWE-20

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

icon

Upgrade Version

Upgrade to version helm.sh/helm/v3 - v3.3.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us