CVE-2021-32690

Name of the Vulnerable Software and Affected Versions Helm versions prior to 3.6.1

Description A vulnerability exists in Helm where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue occurs when the index.yaml file for a Helm repository is hosted on one domain and references a chart archive on a different domain. In such cases, Helm will provide the credentials for the index.yaml's domain when fetching those archives. The issue has been resolved in version 3.6.1. A workaround is available to check for improperly passed credentials by auditing the Helm repository and looking for another domain in the urls list for the chart versions in the index.yaml file.

Recommendations For versions prior to 3.6.1, update to version 3.6.1 to resolve the issue. As a temporary workaround, consider auditing the Helm repository to check for another domain being used that could have received the credentials. In the index.yaml file for the repository, look for another domain in the urls list for the chart versions. If another domain is found and that chart version was pulled or installed, the credentials would have been passed on. To pass the username and password to other domains Helm may encounter when retrieving a chart, the new --pass-credentials flag can be used, which restores the old behavior for a single repository as an opt-in behavior.