CVE-2019-25210

Name of the Vulnerable Software and Affected Versions Helm versions through 3.13.3

Description An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm where it displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. The vendor's position is that this behavior was introduced intentionally and cannot be removed without breaking backwards compatibility, as some users may be relying on these values. It is also noted that it is not the Helm Project's responsibility if a user decides to use --dry-run within a CI/CD environment whose output is visible to unauthorized persons.

Recommendations For Helm versions through 3.13.3, consider avoiding the use of the --dry-run flag in environments where the output may be visible to unauthorized persons, as a temporary workaround to minimize the risk of information disclosure. Restrict access to the CI/CD environment to prevent unauthorized persons from viewing the output of --dry-run calls. At the moment, there is no information about a newer version that contains a fix for this vulnerability.