Platform
go
Component
helm.sh/helm
Opgelost in
2.7.3
2.7.2
CVE-2019-1010275 describes an improper certificate validation vulnerability within Helm, a package manager for Kubernetes. This flaw allows attackers to perform man-in-the-middle (MITM) attacks, potentially leading to the deployment of malicious Kubernetes charts. The vulnerability affects Helm versions prior to 2.7.2+incompatible, and a fix has been released. Promptly upgrading is crucial to secure your Kubernetes deployments.
The core of this vulnerability lies in Helm's failure to properly validate the certificates used during chart downloads and deployments. An attacker positioned between the client and the chart repository can intercept the communication, present a forged certificate, and inject malicious code into the chart. This malicious chart, once deployed, could compromise the entire Kubernetes cluster. Attackers could gain unauthorized access to sensitive data, escalate privileges, or even take complete control of the cluster. The impact is particularly severe because Helm is often used to automate complex deployments, making it a prime target for attackers seeking to gain widespread control.
This vulnerability was publicly disclosed in 2019. While no widespread exploitation campaigns have been definitively linked to CVE-2019-1010275, the potential for MITM attacks makes it a persistent risk. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of the attack.
Organizations heavily reliant on Helm for Kubernetes deployments, particularly those using public or untrusted Helm repositories, are at significant risk. Environments with legacy Helm installations or those lacking robust network security controls are also particularly vulnerable.
• linux / server:
find /var/lib/helm/cache -type f -name '*.tgz' -printf '%P\n' | xargs sha256sum | grep -v 'expected_checksum'• generic web:
curl -I https://your-helm-repo.example.com/index.yaml | grep 'Server:'disclosure
patch
Exploit Status
EPSS
0.30% (54% percentiel)
CVSS-vector
The primary mitigation for CVE-2019-1010275 is to upgrade Helm to version 2.7.2+incompatible or later. If an immediate upgrade is not feasible due to compatibility issues, consider implementing stricter network controls to prevent unauthorized access to your Helm repositories. Verify that your Helm repositories are served over HTTPS and that you are using trusted certificate authorities. Additionally, implement a process for verifying the integrity of downloaded charts before deployment. After upgrading, confirm the fix by attempting a chart deployment and verifying that the certificate validation process is functioning correctly.
Werk Helm bij naar versie 2.7.2 of hoger. Deze versie corrigeert de onjuiste certificaatvalidatie, waardoor ongeautoriseerde clients geen verbinding meer kunnen maken met de server. De update kan worden uitgevoerd door de nieuwe versie te downloaden van de officiële Helm website of door de bijbehorende pakketbeheerder te gebruiken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2019-1010275 is a critical vulnerability in Helm allowing man-in-the-middle attacks. It affects versions before 2.7.2+incompatible, enabling attackers to intercept and modify Kubernetes charts.
You are affected if you are using Helm versions prior to 2.7.2+incompatible. Check your Helm version and upgrade immediately if vulnerable.
Upgrade Helm to version 2.7.2+incompatible or later. If immediate upgrade is not possible, implement stricter network controls and chart verification processes.
While no widespread exploitation campaigns are confirmed, the vulnerability's potential makes it a persistent risk. Public proof-of-concept exploits exist.
Refer to the official Helm security advisory: https://security.helm.sh/advisories/CVE-2019-1010275
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.