CVE-2020-15187 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2020-15187 Interim 1 27 2025-05-30T23:17:15Z current 2021-05-30T14:41:51Z 2025-05-30T23:17:15Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2020-15187 In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2020-October/007599.html E-Mail link for SUSE-CU-2020:555-1 https://lists.suse.com/pipermail/sle-security-updates/2020-October/007600.html E-Mail link for SUSE-CU-2020:556-1 https://lists.suse.com/pipermail/sle-security-updates/2020-December/007989.html E-Mail link for SUSE-CU-2020:783-1 https://lists.suse.com/pipermail/sle-security-updates/2020-December/007991.html E-Mail link for SUSE-CU-2020:785-1 https://lists.suse.com/pipermail/sle-security-updates/2020-December/007994.html E-Mail link for SUSE-CU-2020:788-1 https://lists.suse.com/pipermail/sle-security-updates/2020-December/007995.html E-Mail link for SUSE-CU-2020:789-1 https://lists.suse.com/pipermail/sle-security-updates/2020-December/007997.html E-Mail link for SUSE-CU-2020:791-1 https://lists.suse.com/pipermail/sle-security-updates/2020-December/007998.html E-Mail link for SUSE-CU-2020:793-1 https://lists.suse.com/pipermail/sle-updates/2020-October/016494.html E-Mail link for SUSE-RU-2020:2960-1 https://lists.suse.com/pipermail/sle-security-updates/2020-December/007973.html E-Mail link for SUSE-SU-2020:3760-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Container caasp/v4/coredns:1.6.7 Container caasp/v4/etcd:3.4.13 Container caasp/v4/helm-tiller:2.16.12 Container caasp/v4/hyperkube:v1.17.17 Container caasp/v4/kubernetes-client:1.17.17 Container caasp/v4/kucero:1.3.0 Container caasp/v4/kured:1.3.0 SUSE CaaS Platform 4.0 SUSE CaaS Platform 4.5 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Module for Public Cloud 15 SP4 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Module for Public Cloud 15 SP4 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Module for Public Cloud 15 SP4 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Module for Public Cloud 15 SP4 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Module for Public Cloud 15 SP4 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Module for Public Cloud 15 SP4 caasp-release-4.2.4-24.36.1 caasp-release-4.5.1-1.5.2 coredns-1.6.7-3.13.1 cri-o-1.16.1-3.37.3 cri-o-kubeadm-criconfig-1.16.1-3.37.3 etcd-3.4.13-4.15.1 etcdctl-3.4.13-4.15.1 helm-2.16.12-3.10.1 helm3-3.3.3-1.3.1 helm3-3.3.3-3.5.2 kubernetes-client-1.17.13-4.21.2 kubernetes-common-1.17.13-4.21.2 kubernetes-kubeadm-1.17.13-4.21.2 kubernetes-kubelet-1.17.13-4.21.2 kucero-1.3.0-1.3.1 skuba-1.4.11-3.49.2 skuba-2.1.6-3.5.2 skuba-update-1.4.11-3.49.2 skuba-update-2.1.6-3.5.2 terraform-provider-aws terraform-provider-aws-2.59.0-1.6.1 coredns-1.6.7-3.13.1 as a component of Container caasp/v4/coredns:1.6.7 etcd-3.4.13-4.15.1 as a component of Container caasp/v4/etcd:3.4.13 etcdctl-3.4.13-4.15.1 as a component of Container caasp/v4/etcd:3.4.13 helm-2.16.12-3.10.1 as a component of Container caasp/v4/helm-tiller:2.16.12 kubernetes-common-1.17.13-4.21.2 as a component of Container caasp/v4/hyperkube:v1.17.17 kubernetes-client-1.17.13-4.21.2 as a component of Container caasp/v4/kubernetes-client:1.17.17 kubernetes-common-1.17.13-4.21.2 as a component of Container caasp/v4/kubernetes-client:1.17.17 kubernetes-client-1.17.13-4.21.2 as a component of Container caasp/v4/kucero:1.3.0 kubernetes-common-1.17.13-4.21.2 as a component of Container caasp/v4/kucero:1.3.0 kucero-1.3.0-1.3.1 as a component of Container caasp/v4/kucero:1.3.0 kubernetes-client-1.17.13-4.21.2 as a component of Container caasp/v4/kured:1.3.0 kubernetes-common-1.17.13-4.21.2 as a component of Container caasp/v4/kured:1.3.0 caasp-release-4.2.4-24.36.1 as a component of SUSE CaaS Platform 4.0 cri-o-1.16.1-3.37.3 as a component of SUSE CaaS Platform 4.0 cri-o-kubeadm-criconfig-1.16.1-3.37.3 as a component of SUSE CaaS Platform 4.0 etcdctl-3.4.13-4.15.1 as a component of SUSE CaaS Platform 4.0 helm-2.16.12-3.10.1 as a component of SUSE CaaS Platform 4.0 helm3-3.3.3-1.3.1 as a component of SUSE CaaS Platform 4.0 kubernetes-client-1.17.13-4.21.2 as a component of SUSE CaaS Platform 4.0 kubernetes-common-1.17.13-4.21.2 as a component of SUSE CaaS Platform 4.0 kubernetes-kubeadm-1.17.13-4.21.2 as a component of SUSE CaaS Platform 4.0 kubernetes-kubelet-1.17.13-4.21.2 as a component of SUSE CaaS Platform 4.0 skuba-1.4.11-3.49.2 as a component of SUSE CaaS Platform 4.0 skuba-update-1.4.11-3.49.2 as a component of SUSE CaaS Platform 4.0 terraform-provider-aws-2.59.0-1.6.1 as a component of SUSE CaaS Platform 4.0 caasp-release-4.5.1-1.5.2 as a component of SUSE CaaS Platform 4.5 helm3-3.3.3-3.5.2 as a component of SUSE CaaS Platform 4.5 skuba-2.1.6-3.5.2 as a component of SUSE CaaS Platform 4.5 skuba-update-2.1.6-3.5.2 as a component of SUSE CaaS Platform 4.5 kubernetes-client-1.17.13-4.21.2 as a component of SUSE Linux Enterprise Module for Containers 15 SP1 kubernetes-common-1.17.13-4.21.2 as a component of SUSE Linux Enterprise Module for Containers 15 SP1 terraform-provider-aws as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP3 terraform-provider-aws as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP4 In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL. CVE-2020-15187 Container caasp/v4/coredns:1.6.7:coredns-1.6.7-3.13.1 Container caasp/v4/etcd:3.4.13:etcd-3.4.13-4.15.1 Container caasp/v4/etcd:3.4.13:etcdctl-3.4.13-4.15.1 Container caasp/v4/helm-tiller:2.16.12:helm-2.16.12-3.10.1 Container caasp/v4/hyperkube:v1.17.17:kubernetes-common-1.17.13-4.21.2 Container caasp/v4/kubernetes-client:1.17.17:kubernetes-client-1.17.13-4.21.2 Container caasp/v4/kubernetes-client:1.17.17:kubernetes-common-1.17.13-4.21.2 Container caasp/v4/kucero:1.3.0:kubernetes-client-1.17.13-4.21.2 Container caasp/v4/kucero:1.3.0:kubernetes-common-1.17.13-4.21.2 Container caasp/v4/kucero:1.3.0:kucero-1.3.0-1.3.1 Container caasp/v4/kured:1.3.0:kubernetes-client-1.17.13-4.21.2 Container caasp/v4/kured:1.3.0:kubernetes-common-1.17.13-4.21.2 SUSE CaaS Platform 4.0:caasp-release-4.2.4-24.36.1 SUSE CaaS Platform 4.0:cri-o-1.16.1-3.37.3 SUSE CaaS Platform 4.0:cri-o-kubeadm-criconfig-1.16.1-3.37.3 SUSE CaaS Platform 4.0:etcdctl-3.4.13-4.15.1 SUSE CaaS Platform 4.0:helm-2.16.12-3.10.1 SUSE CaaS Platform 4.0:helm3-3.3.3-1.3.1 SUSE CaaS Platform 4.0:kubernetes-client-1.17.13-4.21.2 SUSE CaaS Platform 4.0:kubernetes-common-1.17.13-4.21.2 SUSE CaaS Platform 4.0:kubernetes-kubeadm-1.17.13-4.21.2 SUSE CaaS Platform 4.0:kubernetes-kubelet-1.17.13-4.21.2 SUSE CaaS Platform 4.0:skuba-1.4.11-3.49.2 SUSE CaaS Platform 4.0:skuba-update-1.4.11-3.49.2 SUSE CaaS Platform 4.0:terraform-provider-aws-2.59.0-1.6.1 SUSE CaaS Platform 4.5:caasp-release-4.5.1-1.5.2 SUSE CaaS Platform 4.5:helm3-3.3.3-3.5.2 SUSE CaaS Platform 4.5:skuba-2.1.6-3.5.2 SUSE CaaS Platform 4.5:skuba-update-2.1.6-3.5.2 SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-client-1.17.13-4.21.2 SUSE Linux Enterprise Module for Containers 15 SP1:kubernetes-common-1.17.13-4.21.2 SUSE Linux Enterprise Module for Public Cloud 15 SP3:terraform-provider-aws SUSE Linux Enterprise Module for Public Cloud 15 SP4:terraform-provider-aws low 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P 3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N