Lucene search

K
githubGitHub Advisory DatabaseGHSA-JM56-5H66-W453
HistoryMay 24, 2021 - 4:57 p.m.

Repository index file allows for duplicates of the same chart entry in helm

2021-05-2416:57:06
CWE-20
CWE-74
CWE-694
GitHub Advisory Database
github.com
26

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

19.4%

Impact

During a security audit of Helm’s code base, security researchers at Trail of Bits identified a bug in which the a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository.

To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection).

Specific Go Packages Affected

helm.sh/helm/v3/pkg/repo

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Workarounds

  • do not install charts from repositories you do not trust
  • fetch charts using a secure channel of communication (such as TLS)
  • use helm pull to fetch the chart, then review the chart’s content (either manually, or with helm verify if it has been signed) to ensure it has not been tampered with
  • manually review the index file in the Helm repository cache before installing software.

Affected configurations

Vulners
Node
helm.shhelmRange<2.16.11
OR
github_advisory_databasehelm.sh\/helm\/v3Range<3.3.2
CPENameOperatorVersion
helm.sh/helmlt2.16.11
helm.sh/helm/v3lt3.3.2

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

19.4%