During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository.
To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection).
helm.sh/helm/v3/pkg/repo
This issue has been patched in Helm 3.3.2 and 2.16.11
helm pull
to fetch the chart, then review the chart’s content (either manually, or with helm verify
if it has been signed) to ensure it has not been tampered with{ "nvd_published_at": "2020-09-17T22:15:00Z", "cwe_ids": [ "CWE-20", "CWE-694", "CWE-74" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2021-05-24T16:47:58Z" }