| modules: |
| - module: helm.sh/helm/v3 |
| versions: |
| - fixed: 3.11.1 |
| vulnerable_at: 3.11.0 |
| packages: |
| - package: helm.sh/helm/v3/cmd/helm |
| symbols: |
| - addInstallFlags |
| - newUpgradeCmd |
| derived_symbols: |
| - main |
| - package: helm.sh/helm/v3/pkg/action |
| symbols: |
| - Configuration.renderResources |
| - Install.RunWithContext |
| - Upgrade.prepareUpgrade |
| derived_symbols: |
| - Install.Run |
| - Lint.Run |
| - Upgrade.Run |
| - Upgrade.RunWithContext |
| - package: helm.sh/helm/v3/pkg/engine |
| symbols: |
| - Engine.initFunMap |
| derived_symbols: |
| - Engine.Render |
| - Render |
| - RenderWithClient |
| description: |- |
| An information disclosure vulnerability exists in the `getHostByName` |
| template function. |
| |
| `getHostByName` is a Helm template function introduced in Helm v3. The |
| function is able to accept a hostname and return an IP address for that |
| hostname. To get the IP address the function performs a DNS lookup. The DNS |
| lookup happens when used with `helm install|upgrade|template` or when the |
| Helm SDK is used to render a chart. |
| |
| Information passed into the chart can be disclosed to the DNS servers used |
| to lookup the IP address. For example, a malicious chart could inject |
| `getHostByName` into a chart in order to disclose values to a malicious DNS |
| server. |
| cves: |
| - CVE-2023-25165 |
| ghsas: |
| - GHSA-pwcw-6f5g-gxf8 |
| credit: Philipp Stehle of SAP |
| references: |
| - advisory: https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8 |
| - fix: https://github.com/helm/helm/commit/293b50c65d4d56187cd4e2f390f0ada46b4c4737 |
