Headline
GHSA-jw44-4f3j-q396: Helm shows secrets in clear text
An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor’s position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values).
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2019-25210
Helm shows secrets in clear text
Moderate severity GitHub Reviewed Published Mar 3, 2024 to the GitHub Advisory Database • Updated Mar 5, 2024
Package
gomod helm.sh/helm/v3 (Go)
Affected versions
>= 3.0.0, <= 3.14.2
An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor’s position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values).
References
- https://nvd.nist.gov/vuln/detail/CVE-2019-25210
- helm/helm#7275
- https://www.cncf.io/projects/helm
Published to the GitHub Advisory Database
Mar 3, 2024
Related news
Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-1570-03 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-1549-03 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes bug and security fixes. Issues addressed include a traversal vulnerability.