Arbitrary Code Execution Affecting helm.sh/helm/v3/pkg/plugin package, versions <2.16.11<3.3.2


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.07% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-HELMSHHELMV3PKGPLUGIN-1083977
  • published18 Sept 2020
  • disclosed18 Sept 2020
  • creditUnknown

Introduced: 18 Sep 2020

CVE-2020-15187  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade helm.sh/helm/v3/pkg/plugin to version 2.16.11, 3.3.2 or higher.

Overview

helm.sh/helm/v3/pkg/plugin is a package manager for Kubernetes.

Affected versions of this package are vulnerable to Arbitrary Code Execution. A Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection).

CVSS Scores

version 3.1