GHSA-jw44-4f3j-q396

Source

https://github.com/advisories/GHSA-jw44-4f3j-q396

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-jw44-4f3j-q396/GHSA-jw44-4f3j-q396.json

Aliases

• CVE-2019-25210

Published

2024-03-03T21:31:25Z

Modified

2024-03-15T19:06:55Z

Summary

Helm shows secrets in clear text

Details

An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values).

References

• https://nvd.nist.gov/vuln/detail/CVE-2019-25210
• https://github.com/helm/helm/issues/7275
• https://github.com/helm/helm
• https://helm.sh/blog/response-cve-2019-25210
• https://www.cncf.io/projects/helm