blob: 11b030ad459f0d97eeaf87f18171846375bb670f [file] [log] [blame]
id: GO-2023-1547
modules:
- module: helm.sh/helm/v3
versions:
- fixed: 3.11.1
vulnerable_at: 3.11.0
packages:
- package: helm.sh/helm/v3/cmd/helm
symbols:
- addInstallFlags
- newUpgradeCmd
derived_symbols:
- main
- package: helm.sh/helm/v3/pkg/action
symbols:
- Configuration.renderResources
- Install.RunWithContext
- Upgrade.prepareUpgrade
derived_symbols:
- Install.Run
- Lint.Run
- Upgrade.Run
- Upgrade.RunWithContext
- package: helm.sh/helm/v3/pkg/engine
symbols:
- Engine.initFunMap
derived_symbols:
- Engine.Render
- Render
- RenderWithClient
summary: Information disclosure in helm.sh/helm/v3
description: |-
An information disclosure vulnerability exists in the getHostByName template
function.
The function getHostByName is a Helm template function introduced in Helm v3.
The function is able to accept a hostname and return an IP address for that
hostname. To get the IP address the function performs a DNS lookup. The DNS
lookup happens when used with "helm install|upgrade|template" or when the Helm
SDK is used to render a chart.
Information passed into the chart can be disclosed to the DNS servers used to
lookup the IP address. For example, a malicious chart could inject getHostByName
into a chart in order to disclose values to a malicious DNS server.
cves:
- CVE-2023-25165
ghsas:
- GHSA-pwcw-6f5g-gxf8
credits:
- Philipp Stehle of SAP
references:
- advisory: https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8
- fix: https://github.com/helm/helm/commit/293b50c65d4d56187cd4e2f390f0ada46b4c4737
review_status: REVIEWED