Interpretation conflict in Helm - CVE-2020-15187
Published: September 18, 2020 / Updated: April 9, 2026
Vulnerability identifier: #VU47089
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-15187
CWE-ID: CWE-436
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Helm
Helm
Software vendor:
The Helm Project
The Helm Project
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper handling of duplicate entries in plugin.yaml in Helm plugin installation hooks when processing a compromised plugin archive or repository content. A remote user can introduce duplicate plugin entries so that the last entry is used to execute arbitrary code.
Exploitation requires write access to the plugin git repository or the plug in archive while it is being downloaded.
Remediation
Install update from vendor's website.