{"id":"CVE-2020-15184","details":"In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.","aliases":["BIT-helm-2020-15184","GHSA-9vp5-m38w-j776"],"modified":"2026-04-11T21:48:51.199572Z","published":"2020-09-17T21:15:17.550Z","related":["GHSA-9vp5-m38w-j776","SUSE-SU-2020:3760-1"],"references":[{"type":"ADVISORY","url":"https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776"},{"type":"FIX","url":"https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/helm/helm","events":[{"introduced":"51bdad42756dfaf3234f53ef3d3cb6bcd94144c2"},{"fixed":"73b28bab84490d18ab1b71489a574ee18e229eea"},{"introduced":"e29ce2a54e96cd02ccfce88bee4f58bb6e2a28b6"},{"fixed":"e5077257b6ca106d1f65652b4ca994736d221ab1"},{"fixed":"e7c281564d8306e1dcf8023d97f972449ad74850"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.0.0"},{"fixed":"2.16.11"},{"introduced":"3.0.0"},{"fixed":"3.3.2"}]}}],"versions":["v2.0.0","v2.1.0","v2.10.0-rc.1","v2.10.0-rc.2","v2.16.10","v2.16.7","v2.16.8","v2.16.9","v2.2.0","v2.3.0","v2.4.0","v2.5.0","v2.6.0","v2.7.0","v2.7.0-rc1","v2.8.0-rc.1","v3.0.0-alpha.1","v3.0.0-alpha.2","v3.0.0-beta.1","v3.0.0-beta.2","v3.0.0-beta.3","v3.0.0-beta.4","v3.0.0-beta.5","v3.3.0","v3.3.0-rc.1","v3.3.0-rc.2","v3.3.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15184.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"}]}