CVE-2021-32690
Summary
| CVE | CVE-2021-32690 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-06-16 22:15:00 UTC |
| Updated | 2022-10-25 15:16:00 UTC |
| Description | Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Repository credentials passed to alternate domain · Advisory · helm/helm · GitHub | CONFIRM | github.com | |
| Release Helm 3.6.1 · helm/helm · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 375763 Helm Chart Repository Vulnerability
- 502869 Alpine Linux Security Update for helm
- 900351 Common Base Linux Mariner (CBL-Mariner) Security Update for helm (5486)
- 901392 Common Base Linux Mariner (CBL-Mariner) Security Update for helm (6471-1)
- 982061 Go (go) Security Update for helm.sh/helm/v3 (GHSA-7jr6-prv4-5wf5)