Skip to main content

Helm CVE-2020-15184

LOW
Improper Input Validation (CWE-20)
2020-09-17 security-advisories@github.com
2.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 17, 2020 - 21:15 nvd
LOW 2.7

DescriptionNVD

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

AnalysisAI

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the alias field on a Chart.yaml is not properly sanitized. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-20. In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters. Affected products include: Helm.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Helm

View all
CVE-2019-1000008 MEDIUM POC
6.5 Feb 04

All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restric

CVE-2019-18658 CRITICAL
9.8 Nov 12

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opport

CVE-2019-1010275 CRITICAL
9.8 Jul 17

helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. Rated critical severity (CVSS 9.8), this vul

CVE-2020-11013 MEDIUM POC
5.0 Apr 24

Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. Rated medium sever

CVE-2021-32690 HIGH
8.6 Jun 16

Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). Rated high severity (CVSS 8.6), th

CVE-2025-53547 HIGH
8.5 Jul 08

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a s

CVE-2026-35205 HIGH
8.4 Apr 09

Helm 4.0.0 through 4.1.3 silently installs Kubernetes plugins without cryptographic provenance verification even when si

CVE-2026-35204 HIGH
8.4 Apr 09

Path traversal in Helm 4.0.0-4.1.3 allows local attackers to write arbitrary files during plugin installation or update

CVE-2023-25165 MEDIUM POC
4.3 Feb 08

Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template funct

CVE-2024-26147 HIGH
7.5 Feb 21

Helm is a package manager for Charts for Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely expl

CVE-2022-23526 HIGH
7.5 Dec 15

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil

CVE-2022-23525 HIGH
7.5 Dec 15

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil

Share

CVE-2020-15184 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy