data/reports/GO-2023-1547.yaml - vulndb - Git at Google

 modules:
   - module: helm.sh/helm/v3
     versions:
       - fixed: 3.11.1
     vulnerable_at: 3.11.0
     packages:
       - package: helm.sh/helm/v3/cmd/helm
         symbols:
           - addInstallFlags
           - newUpgradeCmd
         derived_symbols:
           - main
       - package: helm.sh/helm/v3/pkg/action
         symbols:
           - Configuration.renderResources
           - Install.RunWithContext
           - Upgrade.prepareUpgrade
         derived_symbols:
           - Install.Run
           - Lint.Run
           - Upgrade.Run
           - Upgrade.RunWithContext
       - package: helm.sh/helm/v3/pkg/engine
         symbols:
           - Engine.initFunMap
         derived_symbols:
           - Engine.Render
           - Render
           - RenderWithClient
 description: |-
     An information disclosure vulnerability exists in the `getHostByName`
     template function.

     `getHostByName` is a Helm template function introduced in Helm v3. The
     function is able to accept a hostname and return an IP address for that
     hostname. To get the IP address the function performs a DNS lookup. The DNS
     lookup happens when used with `helm install|upgrade|template` or when the
     Helm SDK is used to render a chart.

     Information passed into the chart can be disclosed to the DNS servers used
     to lookup the IP address. For example, a malicious chart could inject
     `getHostByName` into a chart in order to disclose values to a malicious DNS
     server.
 cves:
   - CVE-2023-25165
 ghsas:
   - GHSA-pwcw-6f5g-gxf8
 credit: Philipp Stehle of SAP
 references:
   - advisory: https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8
   - fix: https://github.com/helm/helm/commit/293b50c65d4d56187cd4e2f390f0ada46b4c4737
	modules:
	- module: helm.sh/helm/v3
	versions:
	- fixed: 3.11.1
	vulnerable_at: 3.11.0
	packages:
	- package: helm.sh/helm/v3/cmd/helm
	symbols:
	- addInstallFlags
	- newUpgradeCmd
	derived_symbols:
	- main
	- package: helm.sh/helm/v3/pkg/action
	symbols:
	- Configuration.renderResources
	- Install.RunWithContext
	- Upgrade.prepareUpgrade
	derived_symbols:
	- Install.Run
	- Lint.Run
	- Upgrade.Run
	- Upgrade.RunWithContext
	- package: helm.sh/helm/v3/pkg/engine
	symbols:
	- Engine.initFunMap
	derived_symbols:
	- Engine.Render
	- Render
	- RenderWithClient
	description: \|-
	An information disclosure vulnerability exists in the `getHostByName`
	template function.

	`getHostByName` is a Helm template function introduced in Helm v3. The
	function is able to accept a hostname and return an IP address for that
	hostname. To get the IP address the function performs a DNS lookup. The DNS
	lookup happens when used with `helm install\|upgrade\|template` or when the
	Helm SDK is used to render a chart.

	Information passed into the chart can be disclosed to the DNS servers used
	to lookup the IP address. For example, a malicious chart could inject
	`getHostByName` into a chart in order to disclose values to a malicious DNS
	server.
	cves:
	- CVE-2023-25165
	ghsas:
	- GHSA-pwcw-6f5g-gxf8
	credit: Philipp Stehle of SAP
	references:
	- advisory: https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8
	- fix: https://github.com/helm/helm/commit/293b50c65d4d56187cd4e2f390f0ada46b4c4737