An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW01NHItdnJtdi1odzMz
Improper Sanitizing of plugin names in helm
Security researchers at Trail of Bits discovered that plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to
This issue has been patched in Helm 3.3.2.
Do not install untrusted Helm plugins. Examine the
name field in the
plugin.yaml file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.
Source: GitHub Advisory Database
Published: about 2 years ago
Updated: 4 months ago
CVSS Score: 3.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N
Identifiers: GHSA-m54r-vrmv-hw33, CVE-2020-15186
go:helm.sh/helm/v3/pkg/pluginVersions: >= 3.0.0, < 3.3.2, >= 2.0.0, < 2.16.11
Fixed in: 3.3.2, 2.16.11
go:helm.sh/helmVersions: < 2.16.11
Fixed in: 2.16.11
go:helm.sh/helm/v3Versions: >= 3.0.0, < 3.3.2
Fixed in: 3.3.2