3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15184

GHSA ID

GHSA-9vp5-m38w-j776

EPSS Score

0.46214%

CWE

CWE-20

Published

5/24/2021

Updated

10/2/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15184

CVE-2020-15184: Aliases are never checked in helm

Impact

During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart.

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Specific Go Packages Affected

helm.sh/helm/v3/pkg/chartutil

Workarounds

Manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

(GitHub Advisory)

3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15184

GHSA ID

GHSA-9vp5-m38w-j776

EPSS Score

0.46214%

CWE

CWE-20

Published

5/24/2021

Updated

10/2/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
helm.sh/helm/v3	go	>= 3.0.0, < 3.3.2	3.3.2
helm.sh/helm	go	< 2.16.11	2.16.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing input validation on the 'alias' field in Chart.yaml dependencies. The patch adds regex validation (aliasRegexp) in both getAliasDependency() and doProcessRequirementsEnabled() functions. These functions were vulnerable because they processed alias values without checking for special characters, allowing injection attacks. The commit diff shows validation was added directly to these functions, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *urin* * s**urity *u*it o* **lm's *o** **s*, s**urity r*s**r***rs *t Tr*il o* *its i**nti*i** * *u* in w*i** t** `*li*s` *i*l* on * `***rt.y*ml` is not prop*rly s*nitiz**. T*is *oul* l*** to t** inj**tion o* unw*nt** in*orm*tion into * **

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion on t** '*li*s' *i*l* in `***rt.y*ml` **p*n**n*i*s. T** p*t** ***s r***x v*li**tion (`*li*sR***xp`) in *ot* `**t*li*s**p*n**n*y()` *n* `*oPro**ssR*quir*m*nts*n**l**()` *un*tions. T**s* *un*tions w*

3.7

Basic Information

Concerned about an active attack path?

CVE-2020-15184: Aliases are never checked in helm

Impact

Patches

Specific Go Packages Affected

Workarounds

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI