Security researchers at Trail of Bits discovered that plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to helm --help
.
helm.sh/helm/v3/pkg/plugin
This issue has been patched in Helm 3.3.2.
Do not install untrusted Helm plugins. Examine the name
field in the plugin.yaml
file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.
{ "nvd_published_at": "2020-09-17T22:15:00Z", "cwe_ids": [ "CWE-20", "CWE-74" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2021-05-24T16:45:43Z" }