Interpretation conflict in Helm - CVE-2020-15187

 

Interpretation conflict in Helm - CVE-2020-15187

Published: September 18, 2020 / Updated: April 9, 2026


Vulnerability identifier: #VU47089
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-15187
CWE-ID: CWE-436
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: The Helm Project
Affected software:
Helm

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper handling of duplicate entries in plugin.yaml in Helm plugin installation hooks when processing a compromised plugin archive or repository content. A remote user can introduce duplicate plugin entries so that the last entry is used to execute arbitrary code.

Exploitation requires write access to the plugin git repository or the plug in archive while it is being downloaded.


How to mitigate CVE-2020-15187

Install update from vendor's website.

Sources