1882300 – (CVE-2020-15187) CVE-2020-15187 helm: write access to the git repository or plugin archive causing causing a local execution attack

Bug 1882300 (CVE-2020-15187) - CVE-2020-15187 helm: write access to the git repository or plugin archive causing causing a local execution attack

Summary: CVE-2020-15187 helm: write access to the git repository or plugin archive cau...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-15187
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1884136 1893876
Blocks:	1882307
TreeView+	depends on / blocked

Reported:	2020-09-24 09:37 UTC by Dhananjay Arunesh
Modified:	2021-12-15 02:52 UTC (History)
CC List:	15 users (show)
Fixed In Version:	helm 3.3.2, helm 2.16.11
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-28 05:03:35 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2020-09-24 09:37:25 UTC

In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL.

References:
https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b
https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j

Note You need to log in before you can comment on or make changes to this bug.