Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-15186

Опубликовано: 18 сент. 2020
Источник: redhat
CVSS3: 2.7
EPSS Низкий

Описание

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to helm --help. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the name field in the plugin.yaml file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Advanced Cluster Management for Kubernetes 2helmFix deferred
Red Hat OpenStack Platform 16.2osp-director-provisioner-containerNot affected
Red Hat OpenStack Platform 16.2rhosp-rhel8-tech-preview/osp-director-downloaderNot affected
Red Hat OpenStack Platform 16.2rhosp-rhel8-tech-preview/osp-director-operatorNot affected
Red Hat Advanced Cluster Management for Kubernetes 2acmesolver-containerFixedRHEA-2021:072904.03.2021
Red Hat Advanced Cluster Management for Kubernetes 2acm-must-gather-containerFixedRHEA-2021:072904.03.2021
Red Hat Advanced Cluster Management for Kubernetes 2acm-operator-bundle-containerFixedRHEA-2021:072904.03.2021
Red Hat Advanced Cluster Management for Kubernetes 2application-ui-containerFixedRHEA-2021:072904.03.2021
Red Hat Advanced Cluster Management for Kubernetes 2cainjector-containerFixedRHEA-2021:072904.03.2021
Red Hat Advanced Cluster Management for Kubernetes 2cert-manager-controller-containerFixedRHEA-2021:072904.03.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
https://bugzilla.redhat.com/show_bug.cgi?id=1882302helm: plugin names are not sanitized properly

EPSS

Процентиль: 46%
0.00234
Низкий

2.7 Low

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-15186

CVSS3: 3.4
nvd
больше 5 лет назад

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

debian логотип

CVE-2020-15186

CVSS3: 3.4
debian
больше 5 лет назад

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitiz ...

github логотип

GHSA-m54r-vrmv-hw33

CVSS3: 3.4
github
больше 4 лет назад

Improper Sanitizing of plugin names in helm

suse-cvrf логотип

SUSE-SU-2020:3760-1

suse-cvrf
около 5 лет назад

Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package

EPSS

Процентиль: 46%
0.00234
Низкий

2.7 Low

CVSS3