CVE-2020-15187 – helm.sh/helm

Package

Manager: go
Name: helm.sh/helm
Vulnerable Version: >=2.0.0 <2.16.11

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00327 pctl0.54955

Details

plugin.yaml file allows for duplicate entries in helm ### Impact During a security audit of Helm's code base, Helm maintainers identified a bug in which a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). ### Patches This issue has been patched in Helm 2.16.11 and Helm 3.3.2. ### Workarounds Make sure to install plugins using a secure connection protocol like SSL.

Metadata

Created: 2021-05-24T16:57:21Z
Modified: 2025-05-29T22:59:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c52f-pq47-2r9j/GHSA-c52f-pq47-2r9j.json
CWE IDs: ["CWE-694", "CWE-74"]
Alternative ID: GHSA-c52f-pq47-2r9j
Finding: F009
Auto approve: 1