1882306 – (CVE-2020-15185) CVE-2020-15185 helm: write access to the index file allows an attacker to inject bad chart into repository

Bug 1882306 (CVE-2020-15185) - CVE-2020-15185 helm: write access to the index file allows an attacker to inject bad chart into repository

Summary: CVE-2020-15185 helm: write access to the index file allows an attacker to inj...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-15185
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1884134
Blocks:	1882307
TreeView+	depends on / blocked

Reported:	2020-09-24 09:52 UTC by Dhananjay Arunesh
Modified:	2021-12-15 02:49 UTC (History)
CC List:	15 users (show)
Fixed In Version:	helm 3.3.2, helm 2.16.11
Clone Of:
Environment:
Last Closed:	2021-10-28 05:03:46 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2020-09-24 09:52:25 UTC

In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software.

References:
https://github.com/helm/helm/commit/055dd41cbe53ce131ab0357524a7f6729e6e40dc
https://github.com/helm/helm/security/advisories/GHSA-jm56-5h66-w453

Note You need to log in before you can comment on or make changes to this bug.