2.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15185

GHSA ID

GHSA-jm56-5h66-w453

EPSS Score

0.56711%

CWE

CWE-20

Published

5/24/2021

Updated

10/2/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15185

CVE-2020-15185: Repository index file allows for duplicates of the same chart entry in helm

Impact

During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository.

To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection).

Specific Go Packages Affected

helm.sh/helm/v3/pkg/repo

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Workarounds

do not install charts from repositories you do not trust
fetch charts using a secure channel of communication (such as TLS)
use helm pull to fetch the chart, then review the chart’s content (either manually, or with helm verify if it has been signed) to ensure it has not been tampered with
manually review the index file in the Helm repository cache before installing software.

(GitHub Advisory)

2.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15185

GHSA ID

GHSA-jm56-5h66-w453

EPSS Score

0.56711%

CWE

CWE-20

Published

5/24/2021

Updated

10/2/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
helm.sh/helm/v3	go	>= 3.0.0, < 3.3.2	3.3.2
helm.sh/helm	go	< 2.16.11	2.16.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input validation in index file processing. The key evidence comes from the patch commits which: 1) Changed YAML parsing to strict mode (yaml.UnmarshalStrict) to detect duplicates 2) Added explicit validation logic (validateIndex()) 3) Added test cases for duplicate detection. The original loadIndex() function's use of non-strict parsing and lack of duplicate entry validation directly enabled the vulnerability by allowing multiple entries with the same chart name, with the last one taking precedence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *urin* * s**urity *u*it o* **lm's *o** **s*, s**urity r*s**r***rs *t Tr*il o* *its i**nti*i** * *u* in w*i** t** * **lm r*pository **n *ont*in *upli**t*s o* t** s*m* ***rt, wit* t** l*st on* *lw*ys us**. I* * r*pository is *ompromis**, t*

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in in**x *il* pro**ssin*. T** k*y *vi**n** *om*s *rom t** p*t** *ommits w*i**: *) ***n*** Y*ML p*rsin* to stri*t mo** (`y*ml.Unm*rs**lStri*t`) to **t**t *upli**t*s *) ***** *xpli*it v*li**tion lo

2.2

Basic Information

Concerned about an active attack path?

CVE-2020-15185: Repository index file allows for duplicates of the same chart entry in helm

Impact

Specific Go Packages Affected

Patches

Workarounds

2.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI