CVE-2021-21303: 
Helm vulnerability analysis and mitigation

In Helm versions 3.0 through 3.5.1, several cases were identified where data loaded from potentially untrusted sources was not properly sanitized. The vulnerability (CVE-2021-21303) was discovered during a routine code audit by Helm core maintainers and was patched in version 3.5.2. The issue affected the handling of SemVer strings in version fields, repository index.yaml files, plugin.yaml files, and Chart.yaml files (GitHub Advisory).

The vulnerability stemmed from a change in version parsing behavior where invalid SemVer strings were passed along as-is instead of being rejected. This deviation from proper SemVer2 specification validation created a potential vector for malicious data injection. The issue also extended to inadequate sanitization of fields in repository index files, plugin.yaml, and Chart.yaml files (GitHub Advisory).

Attackers could potentially send deceptive information to a terminal screen running the helm command, obscure or alter information on the screen, and in some cases send codes that terminals used to execute higher-order logic, such as clearing a terminal screen. The vulnerability affected both end users and those using Helm as a library (GitHub Advisory).

The issue was resolved in Helm 3.5.2. Users are strongly recommended to upgrade to this version. For those unable to upgrade immediately, recommended workarounds include avoiding untrusted chart repositories or Helm plugins, manually auditing index.yaml files for suspicious characters or formatting, and scanning plugin.yaml and Charts.yaml files for suspicious content. Note that Helm 2 was not audited for this vulnerability and should be assumed vulnerable (GitHub Release, GitHub Advisory).