CVE-2020-15186

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-15186

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15186.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-15186

Aliases

Downstream

SUSE-SU-2020:3760-1

Related

Published

2020-09-17T22:15:12.520Z

Modified

2026-02-07T04:15:33.145747Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to helm --help. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the name field in the plugin.yaml file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

References

Affected packages

Git / github.com/helm/helm

Affected ranges

Type: GIT
Repo: https://github.com/helm/helm
Events: Introduced

51bdad42756dfaf3234f53ef3d3cb6bcd94144c2

Fixed

73b28bab84490d18ab1b71489a574ee18e229eea

Introduced

e29ce2a54e96cd02ccfce88bee4f58bb6e2a28b6

Fixed

e5077257b6ca106d1f65652b4ca994736d221ab1

Affected versions

v2.*

v2.0.0

v2.1.0

v2.10.0-rc.1

v2.10.0-rc.2

v2.16.10

v2.16.7

v2.16.8

v2.16.9

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v2.7.0-rc1

v2.8.0-rc.1

v3.*

v3.0.0-alpha.1

v3.0.0-alpha.2

v3.0.0-beta.1

v3.0.0-beta.2

v3.0.0-beta.3

v3.0.0-beta.4

v3.0.0-beta.5

v3.1.0-rc.1

v3.3.0

v3.3.0-rc.1

v3.3.0-rc.2

v3.3.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15186.json"