Miggo Logo

CVE-2020-15184: Aliases are never checked in helm

3.7

CVSS Score
3.1

Basic Information

EPSS Score
0.46214%
Published
5/24/2021
Updated
10/2/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
helm.sh/helm/v3go>= 3.0.0, < 3.3.23.3.2
helm.sh/helmgo< 2.16.112.16.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input validation on the 'alias' field in Chart.yaml dependencies. The patch adds regex validation (aliasRegexp) in both getAliasDependency() and doProcessRequirementsEnabled() functions. These functions were vulnerable because they processed alias values without checking for special characters, allowing injection attacks. The commit diff shows validation was added directly to these functions, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *urin* * s**urity *u*it o* **lm's *o** **s*, s**urity r*s**r***rs *t Tr*il o* *its i**nti*i** * *u* in w*i** t** `*li*s` *i*l* on * `***rt.y*ml` is not prop*rly s*nitiz**. T*is *oul* l*** to t** inj**tion o* unw*nt** in*orm*tion into * **

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion on t** '*li*s' *i*l* in `***rt.y*ml` **p*n**n*i*s. T** p*t** ***s r***x v*li**tion (`*li*sR***xp`) in *ot* `**t*li*s**p*n**n*y()` *n* `*oPro**ssR*quir*m*nts*n**l**()` *un*tions. T**s* *un*tions w*