平台
go
组件
helm.sh/helm
修复版本
2.7.3
2.7.2
CVE-2019-1010275 describes an improper certificate validation vulnerability within Helm, a package manager for Kubernetes. This flaw allows attackers to perform man-in-the-middle (MITM) attacks, potentially leading to the deployment of malicious Kubernetes charts. The vulnerability affects Helm versions prior to 2.7.2+incompatible, and a fix has been released. Promptly upgrading is crucial to secure your Kubernetes deployments.
The core of this vulnerability lies in Helm's failure to properly validate the certificates used during chart downloads and deployments. An attacker positioned between the client and the chart repository can intercept the communication, present a forged certificate, and inject malicious code into the chart. This malicious chart, once deployed, could compromise the entire Kubernetes cluster. Attackers could gain unauthorized access to sensitive data, escalate privileges, or even take complete control of the cluster. The impact is particularly severe because Helm is often used to automate complex deployments, making it a prime target for attackers seeking to gain widespread control.
This vulnerability was publicly disclosed in 2019. While no widespread exploitation campaigns have been definitively linked to CVE-2019-1010275, the potential for MITM attacks makes it a persistent risk. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of the attack.
Organizations heavily reliant on Helm for Kubernetes deployments, particularly those using public or untrusted Helm repositories, are at significant risk. Environments with legacy Helm installations or those lacking robust network security controls are also particularly vulnerable.
• linux / server:
find /var/lib/helm/cache -type f -name '*.tgz' -printf '%P\n' | xargs sha256sum | grep -v 'expected_checksum'• generic web:
curl -I https://your-helm-repo.example.com/index.yaml | grep 'Server:'disclosure
patch
漏洞利用状态
EPSS
0.30% (54% 百分位)
CVSS 向量
The primary mitigation for CVE-2019-1010275 is to upgrade Helm to version 2.7.2+incompatible or later. If an immediate upgrade is not feasible due to compatibility issues, consider implementing stricter network controls to prevent unauthorized access to your Helm repositories. Verify that your Helm repositories are served over HTTPS and that you are using trusted certificate authorities. Additionally, implement a process for verifying the integrity of downloaded charts before deployment. After upgrading, confirm the fix by attempting a chart deployment and verifying that the certificate validation process is functioning correctly.
升级 Helm 到 2.7.2 或更高版本。此版本修复了证书验证不正确的问题,防止未经授权的客户端连接到服务器。升级可以通过从 Helm 官方网站下载新版本或使用相应的包管理器来完成。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-1010275 is a critical vulnerability in Helm allowing man-in-the-middle attacks. It affects versions before 2.7.2+incompatible, enabling attackers to intercept and modify Kubernetes charts.
You are affected if you are using Helm versions prior to 2.7.2+incompatible. Check your Helm version and upgrade immediately if vulnerable.
Upgrade Helm to version 2.7.2+incompatible or later. If immediate upgrade is not possible, implement stricter network controls and chart verification processes.
While no widespread exploitation campaigns are confirmed, the vulnerability's potential makes it a persistent risk. Public proof-of-concept exploits exist.
Refer to the official Helm security advisory: https://security.helm.sh/advisories/CVE-2019-1010275
上传你的 go.mod 文件,立即知道是否受影响。