helm CVE Vulnerabilities & CVE List (29)

Products (CPE): — CVEs: 29

helm vulnerability overview

Aggregates CVE and security vulnerability intelligence across all helm-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.

Disclosed issues often relate to vendor risk memory corruption, vendor risk input validation, and vendor risk buffer overflow; exposure may include vendor impact memory corruption in vendor surface production workloads contexts.

Vulnerability distribution trend (last 24 months)

Showing 2129 of 29 CVEs
«« First « Prev Page 2 / 2 Next »
CVE Summary Source Max CVSS EPSS % Published Updated
CVE-2020-15186 In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [email protected] 3.4 0.96% 2020-09-17 2026-06-16
CVE-2020-15185 In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually revie [email protected] 2.2 0.88% 2020-09-17 2026-06-16
CVE-2020-15184 In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters. [email protected] 3.7 1.03% 2020-09-17 2026-06-16
CVE-2020-4053 In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4. [email protected] 3.7 1.46% 2020-06-16 2026-06-16
CVE-2020-11013 Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. `lookup` is a Helm template function introduced in Helm v3. It is able to lookup resources in the cluster to check for the existence of specific resources and get details about them. This can be used as part of the process to render templates. The documented behavior of `helm template` states that it does not attach to a remote cluster. However, a the recently added `lookup` template function ci [email protected] 8.5 1.26% 2020-04-24 2026-06-16
CVE-2019-18658 In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue. [email protected] 9.8 1.75% 2019-11-12 2026-06-16
CVE-2019-1010275 helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2. [email protected] 9.8 1.36% 2019-07-17 2026-06-16
CVE-2019-1000009 Helm ChartMuseum version >=0.1.0 and < 0.8.1 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in HTTP API to save charts that can result in a specially crafted chart could be uploaded and saved outside the intended location. This attack appears to be exploitable via A POST request to the HTTP API can save a chart archive outside of the intended directory. If authentication is, optionally, enabled this requires an authorized user to d [email protected] 6.5 1.27% 2019-02-04 2026-06-16
CVE-2019-1000008 All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that can result when chart archive files are unpacked a file may be unpacked outside of the target directory. This attack appears to be exploitable via a victim must run a helm command on a specially crafted chart archive. This vulnerability appears to have been fixed in [email protected] 6.5 1.48% 2019-02-04 2026-06-16
«« First « Prev Page 2 / 2 Next »
cvelogic Threat Intelligence