CVE-2020-15184

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15184
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15184.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-15184
Aliases
Related
Published
2020-09-17T21:15:17Z
Modified
2024-10-12T06:11:14.062995Z
Severity
  • 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

References

Affected packages

Git / github.com/helm/helm

Affected ranges

Type
GIT
Repo
https://github.com/helm/helm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.999.0

v1.*

v1.0
v1.1
v1.2

v2.*

v2.0.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.4
v2.0.0-alpha.5
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-rc.1
v2.0.0-rc.2
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.7.0-rc1
v2.8.0-rc.1

v3.*

v3.0.0-alpha.1
v3.0.0-alpha.2
v3.0.0-beta.1
v3.0.0-beta.2
v3.0.0-beta.3
v3.0.0-beta.4
v3.0.0-beta.5
v3.1.0-rc.1
v3.3.0
v3.3.0-rc.1
v3.3.0-rc.2
v3.3.1