CVE Tools
Sign in

CVE-2024-26147

Helm's Missing YAML Content Leads To Panic

Published: Feb 21, 2024Updated: Jan 9, 2025 Sources: CVE List NVD GHSA BDUCWE-457
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.9%
Top 44.2%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:NA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-457CWE-908

Affected Products

helmhelm
Mixed
DevTools & CI / artifact-registry
helm.sh/helm/v3GoOSS Libraries
HelmThe Linux Foundation
LibraryLibrary
OSS Libraries / generic-library
helmoss-projectDevTools & CI
gopackage-ecosystemOSS Libraries
the linux foundationoss-projectUSCloud & SaaSaka linuxfoundation.org, linux foundation

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

1 technique
Collection
View detailed technique mapping

References

https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af
github.com
https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6
github.com
https://nvd.nist.gov/vuln/detail/CVE-2024-26147
nvd.nist.gov
and 1 more references View all →

Timeline

Published
Feb 21, 2024
Last Updated
Jan 9, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-26147 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows