Miggo Logo

CVE-2020-15185: Repository index file allows for duplicates of the same chart entry in helm

2.2

CVSS Score
3.1

Basic Information

EPSS Score
0.56711%
Published
5/24/2021
Updated
10/2/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
helm.sh/helm/v3go>= 3.0.0, < 3.3.23.3.2
helm.sh/helmgo< 2.16.112.16.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation in index file processing. The key evidence comes from the patch commits which: 1) Changed YAML parsing to strict mode (yaml.UnmarshalStrict) to detect duplicates 2) Added explicit validation logic (validateIndex()) 3) Added test cases for duplicate detection. The original loadIndex() function's use of non-strict parsing and lack of duplicate entry validation directly enabled the vulnerability by allowing multiple entries with the same chart name, with the last one taking precedence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *urin* * s**urity *u*it o* **lm's *o** **s*, s**urity r*s**r***rs *t Tr*il o* *its i**nti*i** * *u* in w*i** t** * **lm r*pository **n *ont*in *upli**t*s o* t** s*m* ***rt, wit* t** l*st on* *lw*ys us**. I* * r*pository is *ompromis**, t*

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in in**x *il* pro**ssin*. T** k*y *vi**n** *om*s *rom t** p*t** *ommits w*i**: *) ***n*** Y*ML p*rsin* to stri*t mo** (`y*ml.Unm*rs**lStri*t`) to **t**t *upli**t*s *) ***** *xpli*it v*li**tion lo