Go modules package
helm.sh/helm
pkg:golang/helm.sh/helm
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-15187 | — | >= 2.0.0, < 2.16.11 | 2.16.11 | Sep 17, 2020 | In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attac | ||
| CVE-2020-15186 | — | < 2.16.11 | 2.16.11 | Sep 17, 2020 | In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm | ||
| CVE-2020-15185 | — | < 2.16.11 | 2.16.11 | Sep 17, 2020 | In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this at | ||
| CVE-2020-15184 | — | < 2.16.11 | 2.16.11 | Sep 17, 2020 | In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is | ||
| CVE-2019-18658 | — | >= 2.0.0, < 2.15.2 | 2.15.2 | Nov 12, 2019 | In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev | ||
| CVE-2019-1010275 | — | < 2.7.2 | 2.7.2 | Jul 17, 2019 | helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/ | ||
| CVE-2019-1000008 | — | >= 2.0.0, < 2.12.2 | 2.12.2 | Feb 4, 2019 | All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that can result when chart archive files are unpack |
- CVE-2020-15187Sep 17, 2020affected >= 2.0.0, < 2.16.11fixed 2.16.11
In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attac
- CVE-2020-15186Sep 17, 2020affected < 2.16.11fixed 2.16.11
In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm
- CVE-2020-15185Sep 17, 2020affected < 2.16.11fixed 2.16.11
In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this at
- CVE-2020-15184Sep 17, 2020affected < 2.16.11fixed 2.16.11
In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is
- CVE-2019-18658Nov 12, 2019affected >= 2.0.0, < 2.15.2fixed 2.15.2
In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev
- CVE-2019-1010275Jul 17, 2019affected < 2.7.2fixed 2.7.2
helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/
- CVE-2019-1000008Feb 4, 2019affected >= 2.0.0, < 2.12.2fixed 2.12.2
All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that can result when chart archive files are unpack