Bug 1882306 (CVE-2020-15185)

Summary: CVE-2020-15185 helm: write access to the index file allows an attacker to inject bad chart into repository
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dbecker, gghezzo, gparvin, jjoyce, jramanat, jschluet, jweiser, lhh, lpeer, mburns, rhos-maint, sclewis, slinaber, stcannon, thee
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: helm 3.3.2, helm 2.16.11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 05:03:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1884134    
Bug Blocks: 1882307    

Description Dhananjay Arunesh 2020-09-24 09:52:25 UTC 
In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software.

References:
https://github.com/helm/helm/commit/055dd41cbe53ce131ab0357524a7f6729e6e40dc
https://github.com/helm/helm/security/advisories/GHSA-jm56-5h66-w453