CVE-2020-15186

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to helm --help. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the name field in the plugin.yaml file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

Published: Sep 18, 2020
Updated: May 9, 2024
CVE: CVE-2020-15186
GHSA: GHSA-m54r-vrmv-hw33
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 2.7
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
helm / helm	3.0.0	3.3.2
helm / helm	2.0.0	2.16.11
helm.sh/helm/v3	3.0.0	3.3.2
helm.sh/helm	-	2.16.11
helm.sh/helm/v3/pkg/plugin	2.0.0	2.16.11
helm.sh/helm/v3/pkg/plugin	3.0.0	3.3.2

Vulnerability Database

CVE-2020-15186

Deep Security Visibility Without the Complexity