VYPR
Low severityNVD Advisory· Published Sep 17, 2020· Updated Aug 4, 2024

Improper sanitization of plugin names in Helm

CVE-2020-15186

Description

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to helm --help. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the name field in the plugin.yaml file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
helm.sh/helm/v3Go
>= 3.0.0, < 3.3.23.3.2
helm.sh/helmGo
< 2.16.112.16.11

Affected products

5

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.