Vulnerability Report: GO-2022-0384

CVE-2021-32690, GHSA-56hp-xqp3-w2jf, and 1 more
Affects: helm.sh/helm/v3
Published: Jul 15, 2022
Modified: May 20, 2024

The username and password credentials associated with a Helm repository can be passed to another domain referenced by that Helm repository. If the index.yaml for a Helm repository is hosted on one domain and references a chart archive on a different domain, Helm will provide the credentials for the index.yaml's domain when fetching those archives.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-56hp-xqp3-w2jf.

Affected Packages

Path

Go Versions

Symbols
helm.sh/helm/v3/pkg/downloader

before v3.6.1

Aliases

CVE-2021-32690
GHSA-56hp-xqp3-w2jf
GHSA-7jr6-prv4-5wf5

References

https://github.com/advisories/GHSA-56hp-xqp3-w2jf
https://github.com/helm/helm/commit/61d8e8c4a6f95540c15c6a65f36a6dd0a45e7a2f
https://vuln.go.dev/ID/GO-2022-0384.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL