Withdrawn Advisory: Helm shows secrets in clear text

GHSA-jw44-4f3j-q396 · CVE-2019-25210

Published Mar 3, 2024 · Modified Feb 4, 2026

Description

Withdrawn Advisory

This advisory has been withdrawn because the issue describes intended behavior and the output is not exposed to unauthorized users. This link has been maintained to preserve external references.

Original Description

An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values).

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-25210
WEB https://github.com/helm/helm/issues/7275
WEB https://github.com/helm/helm
WEB https://helm.sh/blog/response-cve-2019-25210
WEB https://www.cncf.io/projects/helm

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes