CVE-2020-15184: Aliases are never checked in helm
3.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.46214%
CWE
Published
5/24/2021
Updated
10/2/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
helm.sh/helm/v3 | go | >= 3.0.0, < 3.3.2 | 3.3.2 |
helm.sh/helm | go | < 2.16.11 | 2.16.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing input validation on the 'alias' field in Chart.yaml
dependencies. The patch adds regex validation (aliasRegexp
) in both getAliasDependency()
and doProcessRequirementsEnabled()
functions. These functions were vulnerable because they processed alias values without checking for special characters, allowing injection attacks. The commit diff shows validation was added directly to these functions, confirming their role in the vulnerability.