Bug 1882300 (CVE-2020-15187)

Summary: CVE-2020-15187 helm: write access to the git repository or plugin archive causing causing a local execution attack
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dbecker, gghezzo, gparvin, jjoyce, jramanat, jschluet, jweiser, lhh, lpeer, mburns, rhos-maint, sclewis, slinaber, stcannon, thee
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: helm 3.3.2, helm 2.16.11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 05:03:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1884136, 1893876    
Bug Blocks: 1882307    

Description Dhananjay Arunesh 2020-09-24 09:37:25 UTC 
In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL.

References:
https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b
https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j