SCA: security update for helm.sh/helm/v3 (GHSA-c38g-469g-cmgx)

medium Tenable Cloud Security Plugin ID 413612

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Helm is open-source software which is essentially "The Kubernetes Package Manager". Helm is a tool for
managing Charts. Charts are packages of pre-configured Kubernetes resources. In Helm from version 3.0 and
before version 3.5.2, there a few cases where data loaded from potentially untrusted sources was not
properly sanitized. When a SemVer in the `version` field of a chart is invalid, in some cases Helm allows
the string to be used "as is" without sanitizing. Helm fails to properly sanitized some fields present on
Helm repository `index.yaml` files. Helm does not properly sanitized some fields in the `plugin.yaml` file
for plugins In some cases, Helm does not properly sanitize the fields in the `Chart.yaml` file. By
exploiting these attack vectors, core maintainers were able to send deceptive information to a terminal
screen running the `helm` command, as well as obscure or alter information on the screen. In some cases,
we could send codes that terminals used to execute higher-order logic, like clearing a terminal screen.
Further, during evaluation, the Helm maintainers discovered a few other fields that were not properly
sanitized when read out of repository index files. This fix remedies all such cases, and once again
enforces SemVer2 policies on version fields. All users of the Helm 3 should upgrade to the fixed version
3.5.2 or later. Those who use Helm as a library should verify that they either sanitize this data on their
own, or use the proper Helm API calls to sanitize the data. (CVE-2021-21303)

See Also

https://github.com/advisories/GHSA-c38g-469g-cmgx

Plugin Details

Severity: Medium

ID: 413612

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 50.9

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2021-21303

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/23/2021

Vulnerability Publication Date: 2/5/2021

Reference Information

CVE: CVE-2021-21303

cwe: CWE-74