CVE-2021-32690Sensitive Information Exposure in Helm

CWE-200Sensitive Information Exposure8 documents6 sources
Severity
8.6HIGHNVD
CNA6.8
EPSS
0.4%
top 39.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
HelmHelm.sh Helm V3
Timeline
PublishedJun 16
Latest updateJul 15

Description

Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages3 packages

CVEListV5helm/helm< 3.6.1
NVDhelm/helm< 3.6.1
Gohelm.sh/helm_v3< 3.6.1

🔴Vulnerability Details

5
OSV
Repository credentials passed to alternate domain in helm.sh/helm/v32022-07-15
OSV
Helm passes repository credentials to alternate domain2021-06-23
GHSA
Helm passes repository credentials to alternate domain2021-06-23
OSV
Duplicate Advisory: Helm passes repository credentials to alternate domain2021-06-23
CVEList
Repository credentials passed to alternate domain2021-06-16

📋Vendor Advisories

2
Red Hat
helm: information disclosure vulnerability2021-06-16
Microsoft
Repository credentials passed to alternate domain2021-06-08
CVE-2021-32690 — Sensitive Information Exposure in Helm | cvebase