Fluid Attacks Database

Description

Repository index file allows for duplicates of the same chart entry in helm

Impact

During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository.

To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection).

Specific Go Packages Affected

helm.sh/helm/v3/pkg/repo

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Workarounds

do not install charts from repositories you do not trust

fetch charts using a secure channel of communication (such as TLS)

use helm pull to fetch the chart, then review the chart’s content (either manually, or with helm verify if it has been signed) to ensure it has not been tampered with

manually review the index file in the Helm repository cache before installing software.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	helm.sh/helm/v3/pkg/repo	>=2.0.0 <2.16.11 \|\| >=3.0.0 <3.3.2	2.16.11, 3.3.2
go	helm.sh/helm	>=0 <2.16.11	2.16.11
go	helm.sh/helm/v3	>=3.0.0 <3.3.2	3.3.2

Aliases

1. CVE-2020-151852. NVD-2020-151853. OSV-2020-151854. GHSA-jm56-5h66-w4535. GCVE-2020-151856. GHSA-jm56-5h66-w453

References

1. https://github.com/helm/helm/commit/055dd41cbe53ce131ab0357524a7f6729e6e40dc2. https://github.com/helm/helm/commit/6aab63765f99050b115f0aec3d6350c85e8da9463. https://github.com/helm/helm/security/advisories/GHSA-jm56-5h66-w453

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.