CVE-2021-32690 Information
Description
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1 a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the index.yaml file for that repository one may look for another domain in the urls list for the chart versions. If there is another domain found and that chart version was pulled or installed the credentials would be passed on.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Reference
https://github.com/helm/helm/releases/tag/v3.6.1
https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf
Helm
is
a
tool
for
managing
Charts
(packages
of
pre-configured
Kubernetes
resources).
In
versions
of
helm
prior
to
3.6.1
a
vulnerability
exists
where
the
username
and
password
credentials
associated
with
a
Helm
repository
could
be
passed
on
to
another
domain
referenced
by
that
Helm
repository.
This
issue
has
been
resolved
in
3.6.1.
There
is
a
workaround
through
which
one
may
check
for
improperly
passed
credentials.
One
may
use
a
username
and
password
for
a
Helm
repository
and
may
audit
the
Helm
repository
in
order
to
check
for
another
domain
being
used
that
could
have
received
the
credentials.
In
the
index.yaml
file
for
that
repository
one
may
look
for
another
domain
in
the
urls
list
for
the
chart
versions.
If
there
is
another
domain
found
and
that
chart
version
was
pulled
or
installed
the
credentials
would
be
passed
on.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
CHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
8.6
Share on: