Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
2. github.com/helm/helm: helm.sh/helm/v4: Helm: Arbitrary code execution due to insufficient plugin provenance verification
A flaw was found in Helm, a package manager for Kubernetes. A remote attacker could exploit this vulnerability by providing a malicious plugin that lacks a provenance file. Even when signature verification is enabled, Helm would incorrectly install this unverified plugin, bypassing critical security checks. This could lead to arbitrary code execution within the Kubernetes environment, allowing an attacker to gain unauthorized control.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.