Bug 1882302 (CVE-2020-15186)

Summary: CVE-2020-15186 helm: plugin names are not sanitized properly
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dbecker, gghezzo, gparvin, jjoyce, jramanat, jschluet, jweiser, lhh, lpeer, mburns, rhos-maint, sclewis, slinaber, stcannon, thee
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: helm 3.3.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 05:03:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1884135    
Bug Blocks: 1882307    

Description Dhananjay Arunesh 2020-09-24 09:42:49 UTC 
In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

References:
https://github.com/helm/helm/commit/809e2d999e2c33e20e77f6bff30652d79c287542
https://github.com/helm/helm/security/advisories/GHSA-m54r-vrmv-hw33