What is the severity of CVE-2020-15186?

The severity of CVE-2020-15186 is medium.

How can a malicious plugin author exploit CVE-2020-15186?

A malicious plugin author could exploit CVE-2020-15186 by using characters in a plugin name that result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output.

Which versions of Helm are affected by CVE-2020-15186?

Helm versions 2.0.0 up to exclusive 2.16.11, and Helm v3 versions 3.0.0 up to and including 3.3.2 are affected by CVE-2020-15186.

How can I fix CVE-2020-15186?

To fix CVE-2020-15186, update Helm to version 2.16.11 for Helm v2, and update Helm v3 to version 3.3.2.

Where can I find more information about CVE-2020-15186?

You can find more information about CVE-2020-15186 on the official Helm GitHub security advisories page, the NVD website, and the Helm GitHub commit page.

Vulnerability/
CVE-2020-15186

medium

CWE

20 74

17/9/2020

24/5/2021

4/8/2024

CVE-2020-15186: Improper sanitization of plugin names in Helm

First published: Thu Sep 17 2020(Updated: )

### Impact Security researchers at Trail of Bits discovered that plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. ### Specific Go Packages Affected helm.sh/helm/v3/pkg/plugin ### Patches This issue has been patched in Helm 3.3.2. ### Workarounds Do not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
go/helm.sh/helm	<2.16.11	2.16.11
go/helm.sh/helm/v3	>=3.0.0<3.3.2	3.3.2
Helm Helm	>=2.0.0<2.16.11
Helm Helm	>=3.0.0<3.3.2

Remedy

https://github.com/helm/helm/commit/809e2d999e2c33e20e77f6bff30652d79c287542

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2020-15186?
The severity of CVE-2020-15186 is medium.
How can a malicious plugin author exploit CVE-2020-15186?
A malicious plugin author could exploit CVE-2020-15186 by using characters in a plugin name that result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output.
Which versions of Helm are affected by CVE-2020-15186?
Helm versions 2.0.0 up to exclusive 2.16.11, and Helm v3 versions 3.0.0 up to and including 3.3.2 are affected by CVE-2020-15186.
How can I fix CVE-2020-15186?
To fix CVE-2020-15186, update Helm to version 2.16.11 for Helm v2, and update Helm v3 to version 3.3.2.
Where can I find more information about CVE-2020-15186?
You can find more information about CVE-2020-15186 on the official Helm GitHub security advisories page, the NVD website, and the Helm GitHub commit page.

collector/github-advisory-latest
alias/GHSA-m54r-vrmv-hw33
alias/CVE-2020-15186
collector/github-advisory
collector/nvd-index
collector/nvd-cve
agent/author
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/title
agent/references
agent/remedy
agent/severity
agent/weakness
agent/last-modified-date
agent/tags
agent/description
agent/event
agent/first-publish-date
package-manager/go
vendor/helm
canonical/helm helm
version/helm helm/2.0.0
version/helm helm/3.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.