Platform
go
Component
helm.sh/helm
Fixed in
2.7.3
2.7.2
CVE-2019-1010275 describes an improper certificate validation vulnerability within Helm, a package manager for Kubernetes. This flaw allows attackers to perform man-in-the-middle (MITM) attacks, potentially leading to the deployment of malicious Kubernetes charts. The vulnerability affects Helm versions prior to 2.7.2+incompatible, and a fix has been released. Promptly upgrading is crucial to secure your Kubernetes deployments.
The core of this vulnerability lies in Helm's failure to properly validate the certificates used during chart downloads and deployments. An attacker positioned between the client and the chart repository can intercept the communication, present a forged certificate, and inject malicious code into the chart. This malicious chart, once deployed, could compromise the entire Kubernetes cluster. Attackers could gain unauthorized access to sensitive data, escalate privileges, or even take complete control of the cluster. The impact is particularly severe because Helm is often used to automate complex deployments, making it a prime target for attackers seeking to gain widespread control.
This vulnerability was publicly disclosed in 2019. While no widespread exploitation campaigns have been definitively linked to CVE-2019-1010275, the potential for MITM attacks makes it a persistent risk. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of the attack.
Exploit Status
EPSS
0.30% (54% percentile)
CVSS Vector
The primary mitigation for CVE-2019-1010275 is to upgrade Helm to version 2.7.2+incompatible or later. If an immediate upgrade is not feasible due to compatibility issues, consider implementing stricter network controls to prevent unauthorized access to your Helm repositories. Verify that your Helm repositories are served over HTTPS and that you are using trusted certificate authorities. Additionally, implement a process for verifying the integrity of downloaded charts before deployment. After upgrading, confirm the fix by attempting a chart deployment and verifying that the certificate validation process is functioning correctly.
Update Helm to version 2.7.2 or later. This version corrects the improper certificate validation, preventing unauthorized clients from connecting to the server. The update can be performed by downloading the new version from the official Helm website or using the corresponding package manager.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-1010275 is a critical vulnerability in Helm allowing man-in-the-middle attacks. It affects versions before 2.7.2+incompatible, enabling attackers to intercept and modify Kubernetes charts.
You are affected if you are using Helm versions prior to 2.7.2+incompatible. Check your Helm version and upgrade immediately if vulnerable.
Upgrade Helm to version 2.7.2+incompatible or later. If immediate upgrade is not possible, implement stricter network controls and chart verification processes.
While no widespread exploitation campaigns are confirmed, the vulnerability's potential makes it a persistent risk. Public proof-of-concept exploits exist.
Refer to the official Helm security advisory: https://security.helm.sh/advisories/CVE-2019-1010275
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.