Bug 1978144 (CVE-2021-32690) - CVE-2021-32690 helm: information disclosure vulnerability
Summary: CVE-2021-32690 helm: information disclosure vulnerability
Alias: CVE-2021-32690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1991827 1991828 1980633 1984588 1985915 1987051 1987052 1987053 1987055 1987056 1987057 1988206 1988207 1988208 1988209 1988210
Blocks: 1978146
TreeView+ depends on / blocked
Reported: 2021-07-01 08:18 UTC by Dhananjay Arunesh
Modified: 2022-03-03 23:54 UTC (History)
53 users (show)

Fixed In Version: helm 3.6.1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in Helm, which could allow credentials associated with one Helm repository to be leaked to another repository referenced by the first one. In order to exploit this vulnerability, an attacker would need to control a repository trusted by the configuration of the target Helm instance.
Clone Of:
Last Closed: 2021-10-18 20:08:19 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:28:38 UTC
Red Hat Product Errata RHSA-2021:3925 0 None None None 2021-10-20 03:55:19 UTC
Red Hat Product Errata RHSA-2021:4618 0 None None None 2021-11-11 18:32:16 UTC
Red Hat Product Errata RHSA-2021:4902 0 None None None 2021-12-01 17:24:00 UTC

Description Dhananjay Arunesh 2021-07-01 08:18:13 UTC
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on.


Comment 3 Przemyslaw Roguski 2021-07-22 20:08:59 UTC
Upstream fix:

Comment 12 Tapas Jena 2021-08-10 06:26:36 UTC
Analysis is complete for Ansible affected components i.e. Ansible Tower (AAP 1.2) and Ansible Controller (AAP 2.0) and it was found that these components are affected by this CVE both from current version and current functionality implementation point of view. Hence, marking Ansible components as "Affected".

Comment 15 errata-xmlrpc 2021-10-18 17:28:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759

Comment 16 Product Security DevOps Team 2021-10-18 20:08:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 17 errata-xmlrpc 2021-10-20 03:55:16 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7

Via RHSA-2021:3925 https://access.redhat.com/errata/RHSA-2021:3925

Comment 18 errata-xmlrpc 2021-11-11 18:32:14 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618

Comment 19 errata-xmlrpc 2021-12-01 17:23:58 UTC
This issue has been addressed in the following products:


Via RHSA-2021:4902 https://access.redhat.com/errata/RHSA-2021:4902

Note You need to log in before you can comment on or make changes to this bug.