Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2020-15185

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Sep 17, 2020 | Modified: Nov 21, 2024
CVSS 3.x
2.7
LOW
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:N/I:P/A:N
RedHat/V2
RedHat/V3
2.7 LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Ubuntu
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2020-15185
CWEhttps://cwe.mitre.org/data/definitions/74.html

In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

NameVendorStart VersionEnd Version
HelmHelm2.0.0 (including)2.16.11 (excluding)
HelmHelm3.0.0 (including)3.3.2 (excluding)
Red Hat Advanced Cluster Management for Kubernetes 2RedHatacmesolver-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatacm-must-gather-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatacm-operator-bundle-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatapplication-ui-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatcainjector-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatcert-manager-controller-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatcert-manager-webhook-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatcert-policy-controller-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatclusterlifecycle-state-metrics-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatconfigmap-watcher-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatconfig-policy-controller-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatconsole-api-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatconsole-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatconsole-header-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatconsole-ui-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatendpoint-component-operator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatendpoint-monitoring-operator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatendpoint-operator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatgovernance-policy-propagator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatgovernance-policy-spec-sync-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatgovernance-policy-status-sync-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatgovernance-policy-template-sync-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatgrafana-dashboard-loader-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatgrc-ui-api-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatgrc-ui-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatiam-policy-controller-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatklusterlet-addon-lease-controller-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatklusterlet-operator-bundle-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatkui-web-terminal-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmanagement-ingress-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmcm-topology-api-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmcm-topology-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmemcached-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmemcached-exporter-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmetrics-collector-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmulticloud-manager-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmulticlusterhub-operator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmulticlusterhub-repo-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmulticluster-observability-operator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmulticluster-operators-application-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmulticluster-operators-channel-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmulticluster-operators-deployable-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmulticluster-operators-placementrule-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmulticluster-operators-subscription-operator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatmulticluster-operators-subscription-release-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatobservatorium-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatobservatorium-operator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatopenshift-hive-operator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatrbac-query-proxy-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatrcm-controller-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatredisgraph-tls-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatregistration-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatregistration-operator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatsearch-aggregator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatsearch-api-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatsearch-collector-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatsearch-operator-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatsearch-ui-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatsubmariner-addon-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatthanos-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatthanos-receive-controller-container*
Red Hat Advanced Cluster Management for Kubernetes 2RedHatwork-container*

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use