CVE-2019-25210Sensitive Information Exposure in Helm V3

CWE-200Sensitive Information ExposureCWE-201Sensitive Info Insertion into Sent Data5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 54.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Helm.sh Helm V3
Timeline
PublishedMar 3

Description

An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 3.13.3. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values). Also, it is not the Helm Project's responsibility if a user decides to u

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

Gohelm.sh/helm_v33.0.03.14.2

🔴Vulnerability Details

3
CVEList
CVE-2019-25210: An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 32024-03-03
GHSA
Withdrawn Advisory: Helm shows secrets in clear text2024-03-03
OSV
Withdrawn Advisory: Helm shows secrets in clear text2024-03-03

📋Vendor Advisories

1
Red Hat
helm: shows secrets with --dry-run option in clear text2024-03-03
CVE-2019-25210 — Sensitive Information Exposure | cvebase