GHSA-JM56-5H66-W453

Vulnerability from github – Published: 2021-05-24 16:57 – Updated: 2023-10-02 13:35
VLAI?
Summary
Repository index file allows for duplicates of the same chart entry in helm
Details

Impact

During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository.

To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection).

Specific Go Packages Affected

helm.sh/helm/v3/pkg/repo

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Workarounds

  • do not install charts from repositories you do not trust
  • fetch charts using a secure channel of communication (such as TLS)
  • use helm pull to fetch the chart, then review the chart’s content (either manually, or with helm verify if it has been signed) to ensure it has not been tampered with
  • manually review the index file in the Helm repository cache before installing software.
Severity ?
2.2 (Low)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "helm.sh/helm/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "helm.sh/helm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.16.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-694",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T16:47:58Z",
    "nvd_published_at": "2020-09-17T22:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nDuring a security audit of Helm\u0027s code base, security researchers at Trail of Bits identified a bug in which the a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository.\n\nTo perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection).\n\n### Specific Go Packages Affected\nhelm.sh/helm/v3/pkg/repo\n\n### Patches\n\nThis issue has been patched in Helm 3.3.2 and 2.16.11\n\n### Workarounds\n\n- do not install charts from repositories you do not trust\n- fetch charts using a secure channel of communication (such as TLS)\n- use `helm pull` to fetch the chart, then review the chart\u2019s content (either manually, or with `helm verify` if it has been signed) to ensure it has not been tampered with\n- manually review the index file in the Helm repository cache before installing software.",
  "id": "GHSA-jm56-5h66-w453",
  "modified": "2023-10-02T13:35:50Z",
  "published": "2021-05-24T16:57:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/helm/helm/security/advisories/GHSA-jm56-5h66-w453"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15185"
    },
    {
      "type": "WEB",
      "url": "https://github.com/helm/helm/commit/055dd41cbe53ce131ab0357524a7f6729e6e40dc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/helm/helm/commit/6aab63765f99050b115f0aec3d6350c85e8da946"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Repository index file allows for duplicates of the same chart entry in helm"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.