Plateforme
go
Composant
helm.sh/helm
Corrigé dans
2.7.3
2.7.2
CVE-2019-1010275 describes an improper certificate validation vulnerability within Helm, a package manager for Kubernetes. This flaw allows attackers to perform man-in-the-middle (MITM) attacks, potentially leading to the deployment of malicious Kubernetes charts. The vulnerability affects Helm versions prior to 2.7.2+incompatible, and a fix has been released. Promptly upgrading is crucial to secure your Kubernetes deployments.
The core of this vulnerability lies in Helm's failure to properly validate the certificates used during chart downloads and deployments. An attacker positioned between the client and the chart repository can intercept the communication, present a forged certificate, and inject malicious code into the chart. This malicious chart, once deployed, could compromise the entire Kubernetes cluster. Attackers could gain unauthorized access to sensitive data, escalate privileges, or even take complete control of the cluster. The impact is particularly severe because Helm is often used to automate complex deployments, making it a prime target for attackers seeking to gain widespread control.
This vulnerability was publicly disclosed in 2019. While no widespread exploitation campaigns have been definitively linked to CVE-2019-1010275, the potential for MITM attacks makes it a persistent risk. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of the attack.
Organizations heavily reliant on Helm for Kubernetes deployments, particularly those using public or untrusted Helm repositories, are at significant risk. Environments with legacy Helm installations or those lacking robust network security controls are also particularly vulnerable.
• linux / server:
find /var/lib/helm/cache -type f -name '*.tgz' -printf '%P\n' | xargs sha256sum | grep -v 'expected_checksum'• generic web:
curl -I https://your-helm-repo.example.com/index.yaml | grep 'Server:'disclosure
patch
Statut de l'Exploit
EPSS
0.30% (percentile 54%)
Vecteur CVSS
The primary mitigation for CVE-2019-1010275 is to upgrade Helm to version 2.7.2+incompatible or later. If an immediate upgrade is not feasible due to compatibility issues, consider implementing stricter network controls to prevent unauthorized access to your Helm repositories. Verify that your Helm repositories are served over HTTPS and that you are using trusted certificate authorities. Additionally, implement a process for verifying the integrity of downloaded charts before deployment. After upgrading, confirm the fix by attempting a chart deployment and verifying that the certificate validation process is functioning correctly.
Mettez à jour Helm à la version 2.7.2 ou supérieure. Cette version corrige la validation incorrecte des certificats, empêchant les clients non autorisés de se connecter au serveur. La mise à jour peut être effectuée en téléchargeant la nouvelle version depuis le site web officiel de Helm ou en utilisant le gestionnaire de paquets correspondant.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2019-1010275 is a critical vulnerability in Helm allowing man-in-the-middle attacks. It affects versions before 2.7.2+incompatible, enabling attackers to intercept and modify Kubernetes charts.
You are affected if you are using Helm versions prior to 2.7.2+incompatible. Check your Helm version and upgrade immediately if vulnerable.
Upgrade Helm to version 2.7.2+incompatible or later. If immediate upgrade is not possible, implement stricter network controls and chart verification processes.
While no widespread exploitation campaigns are confirmed, the vulnerability's potential makes it a persistent risk. Public proof-of-concept exploits exist.
Refer to the official Helm security advisory: https://security.helm.sh/advisories/CVE-2019-1010275
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.