Description
An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 3.13.3. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values). Also, it is not the Helm Project's responsibility if a user decides to use --dry-run within a CI/CD environment whose output is visible to unauthorized persons.
References (3)
Core 3
Core References
Issue Tracking
https://github.com/helm/helm/issues/7275
Vendor Advisory
https://helm.sh/blog/response-cve-2019-25210/
Scores
CVSS v3
6.5
EPSS
0.0067
EPSS Percentile
47.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-200
Status
published
Products (2)
helm/helm
helm/v3
3.0.0Go
Published
Mar 03, 2024
Tracked Since
Feb 18, 2026