CVE-2020-15187

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-15187

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15187.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-15187

Aliases

Downstream

SUSE-SU-2020:3760-1

Related

Published

2020-09-17T22:15:12.647Z

Modified

2026-04-02T04:10:15.895333Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL.

References

Affected packages

Git / github.com/helm/helm

Affected ranges

Type

GIT

Repo

https://github.com/helm/helm

Events

Introduced

51bdad42756dfaf3234f53ef3d3cb6bcd94144c2

Fixed

73b28bab84490d18ab1b71489a574ee18e229eea

Introduced

e29ce2a54e96cd02ccfce88bee4f58bb6e2a28b6

Fixed

e5077257b6ca106d1f65652b4ca994736d221ab1

Fixed

6aab63765f99050b115f0aec3d6350c85e8da946

Fixed

ac7c07c37d87e09797f714fb57aa5e9cb99d9450

Fixed

b0296c0522e837d65f944beefa3fb64fd08ac304

Fixed

c8d6b01d72c9604e43ee70d0d78fadd54c2d8499

Fixed

d9ef5ce8bad512e325390c0011be1244b8380e4b

Fixed

f2ede29480b507b7d8bb152dd8b6b86248b00658

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.16.11"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.3.2"
        }
    ]
}

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.10.0

v2.10.0-rc.1

v2.10.0-rc.2

v2.10.0-rc.3

v2.11.0

v2.11.0-rc.1

v2.11.0-rc.2

v2.11.0-rc.3

v2.11.0-rc.4

v2.12.0

v2.12.0-rc.1

v2.12.0-rc.2

v2.12.1

v2.12.2

v2.12.3

v2.13.0

v2.13.0-rc.1

v2.13.0-rc.2

v2.13.1

v2.13.1-rc.1

v2.14.0

v2.14.0-rc.1

v2.14.0-rc.2

v2.14.1

v2.14.2

v2.14.3

v2.15.0

v2.15.0-rc.1

v2.15.0-rc.2

v2.15.1

v2.15.2

v2.16.0

v2.16.0-rc.1

v2.16.0-rc.2

v2.16.1

v2.16.10

v2.16.2

v2.16.3

v2.16.4

v2.16.5

v2.16.6

v2.16.7

v2.16.8

v2.16.9

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.3.0

v2.3.1

v2.4.0

v2.4.1

v2.4.2

v2.5.0

v2.5.1

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.7.0-rc1

v2.7.1

v2.7.2

v2.8.0

v2.8.0-rc.1

v2.8.1

v2.8.2

v2.8.2-rc1

v2.9.0

v2.9.0-rc1

v2.9.0-rc2

v2.9.0-rc3

v2.9.0-rc4

v2.9.0-rc5

v2.9.1

v3.*

v3.0.0

v3.0.0-alpha.1

v3.0.0-alpha.2

v3.0.0-beta.1

v3.0.0-beta.2

v3.0.0-beta.3

v3.0.0-beta.4

v3.0.0-beta.5

v3.0.0-rc.1

v3.0.0-rc.2

v3.0.0-rc.3

v3.0.0-rc.4

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v3.1.0-rc.1

v3.1.0-rc.2

v3.1.0-rc.3

v3.1.1

v3.1.2

v3.1.3

v3.2.0

v3.2.0-rc.1

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.3.0

v3.3.0-rc.1

v3.3.0-rc.2

v3.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15187.json"