{"containers":{"cna":{"title":"Duplicate plugin entries in Helm","problemTypes":[{"descriptions":[{"cweId":"CWE-694","lang":"en","description":"CWE-694: Use of Multiple Resources with Duplicate Identifier","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-74","lang":"en","description":"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j","tags":["x_refsource_CONFIRM"],"url":"https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j"},{"name":"https://github.com/helm/helm/commit/6aab63765f99050b115f0aec3d6350c85e8da946","tags":["x_refsource_MISC"],"url":"https://github.com/helm/helm/commit/6aab63765f99050b115f0aec3d6350c85e8da946"},{"name":"https://github.com/helm/helm/commit/ac7c07c37d87e09797f714fb57aa5e9cb99d9450","tags":["x_refsource_MISC"],"url":"https://github.com/helm/helm/commit/ac7c07c37d87e09797f714fb57aa5e9cb99d9450"},{"name":"https://github.com/helm/helm/commit/b0296c0522e837d65f944beefa3fb64fd08ac304","tags":["x_refsource_MISC"],"url":"https://github.com/helm/helm/commit/b0296c0522e837d65f944beefa3fb64fd08ac304"},{"name":"https://github.com/helm/helm/commit/c8d6b01d72c9604e43ee70d0d78fadd54c2d8499","tags":["x_refsource_MISC"],"url":"https://github.com/helm/helm/commit/c8d6b01d72c9604e43ee70d0d78fadd54c2d8499"},{"name":"https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b","tags":["x_refsource_MISC"],"url":"https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b"},{"name":"https://github.com/helm/helm/commit/f2ede29480b507b7d8bb152dd8b6b86248b00658","tags":["x_refsource_MISC"],"url":"https://github.com/helm/helm/commit/f2ede29480b507b7d8bb152dd8b6b86248b00658"}],"affected":[{"vendor":"helm","product":"helm","versions":[{"version":">= 2.0.0, < 2.16.11","status":"affected"},{"version":">= 3.0.0, < 3.3.2","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2025-05-29T22:59:03.267Z"},"descriptions":[{"lang":"en","value":"In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack.\nTo perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2.\nAs a possible workaround make sure to install plugins using a secure connection protocol like SSL."}],"source":{"advisory":"GHSA-c52f-pq47-2r9j","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T13:08:22.691Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/helm/helm/commit/d9ef5ce8bad512e325390c0011be1244b8380e4b"}]}]},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2020-15187","datePublished":"2020-09-17T21:50:12.000Z","dateReserved":"2020-06-25T00:00:00.000Z","dateUpdated":"2025-05-29T22:59:03.267Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}