CVE-2021-32690: 
Helm vulnerability analysis and mitigation

A vulnerability was discovered in Helm (CVE-2021-32690) where username and password credentials associated with a Helm repository could be inadvertently passed to another domain referenced by that repository. The issue was discovered by a Helm core maintainer and was disclosed on June 16, 2021, affecting Helm versions 3.6.0 and earlier (GitHub Advisory).

The vulnerability exists in the way Helm handles credentials when accessing chart repositories. When an index.yaml file within a Helm chart repository contains references to chart archives on different domains, the authentication credentials intended for the primary repository were being passed to these secondary domains during chart retrieval operations. This behavior occurred automatically without user awareness (GitHub Advisory).

When a username and password were associated with a Helm repository, these credentials were unintentionally transmitted to other domains referenced in the index.yaml file during chart archive retrieval. This could potentially lead to credential exposure to unauthorized domains (GitHub Advisory).

The issue was patched in Helm version 3.6.1. The fix includes a behavior change where credentials are only passed to the URL location of the Helm repository by default, scoped to the scheme, host, and port of the repository. For cases where credential passing to other domains is required, a new --pass-credentials flag was introduced as an opt-in feature. Users can audit their Helm repositories to check for other domains in the index.yaml file that might have received credentials (GitHub Release, GitHub Advisory).

The release of Helm 3.6.1 received positive community engagement, with numerous GitHub users reacting to the security release announcement. The community acknowledged the importance of this security fix, as evidenced by the 119 thumbs up reactions and 35 celebration reactions on the release announcement (GitHub Release).