CVE-2021-21303

Name of the Vulnerable Software and Affected Versions: Helm versions 3.0 through 3.5.2

Description: Helm, a tool for managing Charts in Kubernetes, has cases where data loaded from potentially untrusted sources was not properly sanitized. This includes invalid SemVer in the version field of a chart, unsanitized fields in Helm repository index.yaml files, plugin.yaml files for plugins, and Chart.yaml files. By exploiting these, attackers could send deceptive information to a terminal screen running the helm command, obscure or alter information on the screen, or execute higher-order logic like clearing a terminal screen. The issue affects Helm 3 and has been resolved by enforcing SemVer2 policies on version fields.

Recommendations: For Helm versions 3.0 through 3.5.2, upgrade to version 3.5.2 or later to resolve the issue. Those who use Helm as a library should verify that they either sanitize this data on their own, or use the proper Helm API calls to sanitize the data.