Keptn v1 reached EOL December 22, 2023. For more information see


Version 1.0

Revision Information

Revision Updated Reason
1.0 April 25, 2023 Initial Reason


Container Images Affected versions Pathced versions
keptn/helm-service > 0.1.0 0.7.0
keptn/installer > 0.2.2 0.7.0
keptn/remediation-service > 0.5.0.beta 0.8.3
keptn/upgrader 0.7.0 no newer versions available



Remediation service container images between versions 0.7.3 to 0.8.2 are not safe to use. Building container images from Keptn’s source code between versions 0.1.0 and 0.8.2 is not safe, although the released container images are safe (except listed above).


The vulnerability happened due to a deleted Google Storage bucket by the Helm project (kubernetes-helm bucket) that hosted the CLI binaries. The Helm project switched to GitHub releases for their CLI binaries and deleted the storage bucket which made the name (and therefore identical URL) available again for other users to take. This makes components that depend on the Helm CLI vulnerable to RCE at build time since the storage bucket can be taken by any user and during container image build time and the content of the bucket is downloaded into the container image without any integrity (or any other) checks.


This is a vulnerability that can only be exploited during build time of Dockerfiles from Keptn versions 0.1.0 to 0.8.2.


CVSS v3.1 Vector Score 4.7: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N


The problem will not be patched since the affected versions are over 2 years old and are not built or maintained anymore by any automated system or otherwise.

The problem will be addressed by deleting the affected Docker images and deleting GitHub tags and release branches for the affected Keptn versions to avoid building the vulnerable code. Additionally, disclaimers will be added to the affected GitHub releases.


The vulnerability can be avoided by not building any of the aforementioned container images by oneself and using the released images instead.


GitHub Security Advisory