CVE-2020-15185

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-15185

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15185.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-15185

Aliases

Downstream

SUSE-SU-2020:3760-1

Related

Published

2020-09-17T22:15:12.443Z

Modified

2026-02-09T04:25:25.741254Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software.

References

Affected packages

Git / github.com/helm/helm

Affected ranges

Type: GIT
Repo: https://github.com/helm/helm
Events: Fixed

055dd41cbe53ce131ab0357524a7f6729e6e40dc

Introduced

51bdad42756dfaf3234f53ef3d3cb6bcd94144c2

Fixed

73b28bab84490d18ab1b71489a574ee18e229eea

Introduced

e29ce2a54e96cd02ccfce88bee4f58bb6e2a28b6

Fixed

e5077257b6ca106d1f65652b4ca994736d221ab1

Affected versions

v2.*

v2.0.0

v2.1.0

v2.10.0-rc.1

v2.10.0-rc.2

v2.16.10

v2.16.7

v2.16.8

v2.16.9

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v2.7.0-rc1

v2.8.0-rc.1

v3.*

v3.0.0-alpha.1

v3.0.0-alpha.2

v3.0.0-beta.1

v3.0.0-beta.2

v3.0.0-beta.3

v3.0.0-beta.4

v3.0.0-beta.5

v3.1.0-rc.1

v3.3.0

v3.3.0-rc.1

v3.3.0-rc.2

v3.3.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15185.json"