{"containers": {"cna": {"affected": [{"product": "helm", "vendor": "helm", "versions": [{"status": "affected", "version": "< 3.6.1"}]}], "descriptions": [{"lang": "en", "value": "Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-16T22:10:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/helm/helm/releases/tag/v3.6.1"}], "source": {"advisory": "GHSA-56hp-xqp3-w2jf", "discovery": "UNKNOWN"}, "title": "Repository credentials passed to alternate domain", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32690", "STATE": "PUBLIC", "TITLE": "Repository credentials passed to alternate domain"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "helm", "version": {"version_data": [{"version_value": "< 3.6.1"}]}}]}, "vendor_name": "helm"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf", "refsource": "CONFIRM", "url": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf"}, {"name": "https://github.com/helm/helm/releases/tag/v3.6.1", "refsource": "MISC", "url": "https://github.com/helm/helm/releases/tag/v3.6.1"}]}, "source": {"advisory": "GHSA-56hp-xqp3-w2jf", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:31.090Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/helm/helm/releases/tag/v3.6.1"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32690", "datePublished": "2021-06-16T22:10:10", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:25:31.090Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*", "matchCriteriaId": "415DB92F-620D-4399-A9BB-0FF0BBF1F942", "versionEndExcluding": "3.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on."}, {"lang": "es", "value": "Helm es una herramienta para gestionar Charts (paquetes de recursos Kubernetes preconfigurados). En versiones de Helm anteriores a 3.6.1, se presenta una vulnerabilidad en la que las credenciales de nombre de usuario y contrase\u00f1a asociadas a un repositorio de Helm podr\u00edan ser pasadas a otro dominio referenciado por ese repositorio de Helm. Este problema ha sido resuelto en versi\u00f3n 3.6.1. Se presenta una soluci\u00f3n que permite comprobar credenciales pasadas inapropiadamente. Puede usar un nombre de usuario y una contrase\u00f1a para un repositorio Helm y puede auditar el repositorio Helm para comprobar si se est\u00e1 utilizando otro dominio que podr\u00eda haber recibido las credenciales. En el archivo \"index.yaml\" para ese repositorio, uno puede buscar otro dominio en la lista de \"urls\" para las versiones del gr\u00e1fico. Si se encuentra otro dominio y esa versi\u00f3n del gr\u00e1fico fue extra\u00edda o instalada, las credenciales se pasar\u00edan"}], "id": "CVE-2021-32690", "lastModified": "2024-11-21T06:07:32.377", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-16T22:15:07.737", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/helm/helm/releases/tag/v3.6.1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/helm/helm/releases/tag/v3.6.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-grafana-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-must-gather-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "application-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "assisted-image-service-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cert-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-backup-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "clusterclaims-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-curator-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "clusterlifecycle-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-proxy-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "config-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "console-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "console-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "discovery-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "endpoint-monitoring-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-propagator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-spec-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-status-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-template-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grafana-dashboard-loader-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grc-ui-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grc-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "iam-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "insights-client-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "insights-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-addon-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-addon-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "kube-rbac-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "kube-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "managedcluster-import-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "management-ingress-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "memcached-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "memcached-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "metrics-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicloud-integrations-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicloud-manager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multiclusterhub-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multiclusterhub-repo-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-observability-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-application-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-channel-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-deployable-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-placementrule-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-subscription-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-subscription-release-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "node-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "observatorium-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "observatorium-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "openshift-hive-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "placement-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "prometheus-alertmanager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "prometheus-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "provider-credential-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rbac-query-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "redisgraph-tls-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "registration-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "registration-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-agent-service-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-agent-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-reporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-aggregator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "submariner-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "thanos-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "thanos-receive-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-rclone-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-restic-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-rsync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "work-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:3925", "cpe": "cpe:/a:redhat:acm:2.3::el8", "package": "rhacm2/multicluster-operators-channel-rhel8:v2.3.3-2", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8", "release_date": "2021-10-20T00:00:00Z"}, {"advisory": "RHSA-2021:3759", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "openshift4/ose-console:v4.9.0-202110130449.p0.git.8c077e4.assembly.rc.8", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2021-10-18T00:00:00Z"}, {"advisory": "RHSA-2021:4902", "cpe": "cpe:/a:redhat:advanced_cluster_security:3.67::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:3.67.0-3", "product_name": "RHACS-3.67-RHEL-8", "release_date": "2021-12-01T00:00:00Z"}, {"advisory": "RHEA-2021:3139", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "web-terminal-tech-preview/web-terminal-exec-rhel8:1.3-9", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2021-08-11T00:00:00Z"}, {"advisory": "RHEA-2021:3139", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "web-terminal-tech-preview/web-terminal-rhel8-operator:1.3-20", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2021-08-11T00:00:00Z"}, {"advisory": "RHEA-2021:3139", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "web-terminal-tech-preview/web-terminal-rhel8-operator-metadata:1.3-19", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2021-08-11T00:00:00Z"}, {"advisory": "RHEA-2021:3139", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "web-terminal-tech-preview/web-terminal-tooling-rhel8:1.3-6", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2021-08-11T00:00:00Z"}], "bugzilla": {"description": "helm: information disclosure vulnerability", "id": "1978144", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1978144"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on.", "A vulnerability was discovered in Helm, which could allow credentials associated with one Helm repository to be leaked to another repository referenced by the first one.  In order to exploit this vulnerability, an attacker would need to control a repository trusted by the configuration of the target Helm instance."], "name": "CVE-2021-32690", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Will not fix", "package_name": "helm", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Out of support scope", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Out of support scope", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "cert-policy-controller", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "config-policy-controller", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "endpoint-component-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "endpoint-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "governance-policy-propagator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "governance-policy-spec-sync", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "governance-policy-status-sync", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "governance-policy-template-sync", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "iam-policy-controller", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "multicloudhub-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "multicloudhub-repo", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "multicloud-operators-application", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "multicloud-operators-channel", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "multicloud-operators-deployable", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "multicloud-operators-foundation", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "multicloud-operators-placementrule", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "multicloud-operators-subscription", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "multicloud-operators-subscription-release", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rcm-controller", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "registration-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acmesolver-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/cainjector-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/cert-manager-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/cert-manager-webhook-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/cert-policy-controller-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/cluster-curator-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/clusterlifecycle-state-metrics-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/config-policy-controller-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/endpoint-monitoring-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/governance-policy-propagator-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/governance-policy-spec-sync-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/governance-policy-status-sync-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/governance-policy-template-sync-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/iam-policy-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/managedcluster-import-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/metrics-collector-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicloud-manager-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multiclusterhub-repo-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multiclusterhub-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-observability-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-application-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-deployable-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-placementrule-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-subscription-release-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-subscription-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/openshift-hive-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/rcm-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/registration-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/registration-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-aggregator-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-collector-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/subctl-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/submariner-addon-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/submariner-operator-bundle", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/submariner-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/work-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "search-aggregator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "search-collector", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "search-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "helm", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "helm", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-ansible-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-helm-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-metering-helm-container-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-operator-sdk-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "osp-director-provisioner-container", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "rhosp-rhel8-tech-preview/osp-director-downloader", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "rhosp-rhel8-tech-preview/osp-director-operator", "product_name": "Red Hat OpenStack Platform 16.2"}], "public_date": "2021-06-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-32690\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-32690\nhttps://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf"], "statement": "Red Hat Advanced Cluster Management for Kubernetes:\nIn Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are using helm chart provided by the installer, so components are not using untrusted charts except in the application-lifecycle area. For this reason we marked the impact as low. For RHACM, the credentials could be leaked only when a helm chart is stored in a domain other than the helm repository itself. In practice, this rarely happens as the chart is stored in the same helm repository. For example, this chart in the helm repo https://charts.helm.sh/stable/index.yaml references only charts stored in the same domain (charts.heml.sh). From version, 2.2 onwards, multicloud-operators-placementrule and multicloud-operators-deployable do not use helm at all.\nOpenShift Developer Tools and Services:\nThe OpenShift Helm team has analyzed this CVE and we have come to the conclusion that this only affects OpenShift Helm customers that use the CLI to install and update charts. It does not affect customers that use the OpenShift Console to install and update charts. To mitigate this issue, customers can refresh their Helm cli by following the Red Had official Helm install guide here: https://docs.openshift.com/container-platform/4.7/cli_reference/helm_cli/getting-started-with-helm-on-openshift-container-platform.html#installing-helm_getting-started-with-helm-on-openshift. The mirror (https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/) have already been updated with helm 3.6.2 which contains the fix for this CVE.", "threat_severity": "Moderate"}