CVE-2020-15184 - OpenCVE

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Helm	Helm

Configuration 1 [-]

OR	cpe:2.3:a:helm:helm::::::::
	cpe:2.3:a:helm:helm::::::::

References

Link	Resource
https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850	Patch Third Party Advisory
https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-09-17T20:40:12

Updated: 2020-09-17T20:40:12

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15184

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-09-17T21:15:17.550

Modified: 2021-11-18T17:50:32.987

Link: CVE-2020-15184

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "helm", "vendor": "helm", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.16.11"}, {"status": "affected", "version": ">= 3.0.0, < 3.3.2"}]}], "descriptions": [{"lang": "en", "value": "In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "{\"CWE-20\":\"Improper Input Validation\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-17T20:40:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850"}], "source": {"advisory": "GHSA-9vp5-m38w-j776", "discovery": "UNKNOWN"}, "title": "Aliases are never checked in Helm", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15184", "STATE": "PUBLIC", "TITLE": "Aliases are never checked in Helm"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "helm", "version": {"version_data": [{"version_value": ">= 2.0.0, < 2.16.11"}, {"version_value": ">= 3.0.0, < 3.3.2"}]}}]}, "vendor_name": "helm"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-20\":\"Improper Input Validation\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776", "refsource": "CONFIRM", "url": "https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776"}, {"name": "https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850", "refsource": "MISC", "url": "https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850"}]}, "source": {"advisory": "GHSA-9vp5-m38w-j776", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15184", "datePublished": "2020-09-17T20:40:12", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2020-09-17T20:40:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*", "matchCriteriaId": "455BCCE5-1D43-4E59-9591-E84B52DAAF0B", "versionEndExcluding": "2.16.11", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*", "matchCriteriaId": "B462D769-3FC0-4079-8B48-863F013662EF", "versionEndExcluding": "3.3.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters."}, {"lang": "es", "value": "En Helm versiones anteriores a 2.16.11 y 3.3.2, se presenta un error en el que el campo \"alias\" en un archivo \"Chart.yaml\" no es saneado apropiadamente. Esto podr\u00eda conllevar a la inyecci\u00f3n de informaci\u00f3n no deseada en un gr\u00e1fico. Este problema ha sido corregido en Helm versiones 3.3.2 y 2.16.11. Una posible soluci\u00f3n es revisar manualmente que el campo \"dependencies\" de cualquier gr\u00e1fico no sea de confianza, verificando que el campo \"alias\" no sea usado o (si se utiliza) no contenga nuevas l\u00edneas o caracteres de ruta"}], "id": "CVE-2020-15184", "lastModified": "2021-11-18T17:50:32.987", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-09-17T21:15:17.550", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}