blob: 5d00d1bd0f6058b728970e2fe39b2ce90ff380dd [file] [log] [blame]
id: GO-2023-1547
modules:
- module: helm.sh/helm/v3
versions:
- fixed: 3.11.1
vulnerable_at: 3.11.0
packages:
- package: helm.sh/helm/v3/cmd/helm
symbols:
- addInstallFlags
- newUpgradeCmd
derived_symbols:
- main
- package: helm.sh/helm/v3/pkg/action
symbols:
- Configuration.renderResources
- Install.RunWithContext
- Upgrade.prepareUpgrade
derived_symbols:
- Install.Run
- Lint.Run
- Upgrade.Run
- Upgrade.RunWithContext
- package: helm.sh/helm/v3/pkg/engine
symbols:
- Engine.initFunMap
derived_symbols:
- Engine.Render
- Render
- RenderWithClient
summary: Information disclosure in helm.sh/helm/v3
description: |-
An information disclosure vulnerability exists in the `getHostByName` template
function.
`getHostByName` is a Helm template function introduced in Helm v3. The function
is able to accept a hostname and return an IP address for that hostname. To get
the IP address the function performs a DNS lookup. The DNS lookup happens when
used with `helm install|upgrade|template` or when the Helm SDK is used to render
a chart.
Information passed into the chart can be disclosed to the DNS servers used to
lookup the IP address. For example, a malicious chart could inject
`getHostByName` into a chart in order to disclose values to a malicious DNS
server.
cves:
- CVE-2023-25165
ghsas:
- GHSA-pwcw-6f5g-gxf8
credits:
- Philipp Stehle of SAP
references:
- advisory: https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8
- fix: https://github.com/helm/helm/commit/293b50c65d4d56187cd4e2f390f0ada46b4c4737