Mattfarina

**Name of the Vulnerable Software and Affected Versions** Helm versions prior to 3.6.1 **Description** A vulnerability exists in Helm where the `username` and `password` credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue occurs when the `index.yaml` file for a Helm repository is hosted on one domain and references a chart archive on a different domain. In such cases, Helm will provide the credentials for the `index.yaml`'s domain when fetching those archives. The issue has been resolved in version 3.6.1. A workaround is available to check for improperly passed credentials by auditing the Helm repository and looking for another domain in the `urls` list for the chart versions in the `index.yaml` file. **Recommendations** For versions prior to 3.6.1, update to version 3.6.1 to resolve the issue. As a temporary workaround, consider auditing the Helm repository to check for another domain being used that could have received the credentials. In the `index.yaml` file for the repository, look for another domain in the `urls` list for the chart versions. If another domain is found and that chart version was pulled or installed, the credentials would have been passed on. To pass the `username` and `password` to other domains Helm may encounter when retrieving a chart, the new `--pass-credentials` flag can be used, which restores the old behavior for a single repository as an opt-in behavior.