{ "containers": { "cna": { "title": "Duplicate plugin entries in Helm", "problemTypes": [ { "descriptions": [ { "cweId": "CWE-694", "lang": "en", "description": "CWE-694: Use of Multiple Resources with Duplicate Identifier", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N", "version": "3.1" } } ], "references": [ { "name": "https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j" }, { "name": "https://github.com/helm/helm/commit/6aab63765f99050b115f0aec3d6350c85e8da946", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/helm/helm/commit/6aab63765f99050b115f0aec3d6350c85e8da946" }, { "name": "https://github.com/helm/helm/commit/ac7c07c37d87e09797f714fb57aa5e9cb99d9450", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/helm/helm/commit/ac7c07c37d87e09797f714fb57aa5e9cb99d9450" }, { "name": "https://github.com/helm/helm/commit/b0296c0522e837d65f944beefa3fb64fd08ac304", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/helm/helm/commit/b0296c0522e837d65f944beefa3fb64fd08ac304" }, { "name": "https://github.com/helm/helm/commit/c8d6b01d72c9604e43ee70d0d78fadd54c2d8499", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/helm/helm/commit/c8d6b01d72c9604e43ee70d0d78fadd54c2d8499" }, { "name": "https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b" }, { "name": "https://github.com/helm/helm/commit/f2ede29480b507b7d8bb152dd8b6b86248b00658", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/helm/helm/commit/f2ede29480b507b7d8bb152dd8b6b86248b00658" } ], "affected": [ { "vendor": "helm", "product": "helm", "versions": [ { "version": ">= 2.0.0, < 2.16.11", "status": "affected" }, { "version": ">= 3.0.0, < 3.3.2", "status": "affected" } ] } ], "providerMetadata": { "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-29T22:59:03.267Z" }, "descriptions": [ { "lang": "en", "value": "In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack.\nTo perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2.\nAs a possible workaround make sure to install plugins using a secure connection protocol like SSL." } ], "source": { "advisory": "GHSA-c52f-pq47-2r9j", "discovery": "UNKNOWN" } }, "adp": [ { "providerMetadata": { "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:22.691Z" }, "title": "CVE Program Container", "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b" } ] } ] }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15187", "datePublished": "2020-09-17T21:50:12.000Z", "dateReserved": "2020-06-25T00:00:00.000Z", "dateUpdated": "2025-05-29T22:59:03.267Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }