| id: GO-2023-1547 |
| modules: |
| - module: helm.sh/helm/v3 |
| versions: |
| - fixed: 3.11.1 |
| vulnerable_at: 3.11.0 |
| packages: |
| - package: helm.sh/helm/v3/cmd/helm |
| symbols: |
| - addInstallFlags |
| - newUpgradeCmd |
| derived_symbols: |
| - main |
| - package: helm.sh/helm/v3/pkg/action |
| symbols: |
| - Configuration.renderResources |
| - Install.RunWithContext |
| - Upgrade.prepareUpgrade |
| derived_symbols: |
| - Install.Run |
| - Lint.Run |
| - Upgrade.Run |
| - Upgrade.RunWithContext |
| - package: helm.sh/helm/v3/pkg/engine |
| symbols: |
| - Engine.initFunMap |
| derived_symbols: |
| - Engine.Render |
| - Render |
| - RenderWithClient |
| summary: Information disclosure in helm.sh/helm/v3 |
| description: |- |
| An information disclosure vulnerability exists in the `getHostByName` template |
| function. |
| |
| `getHostByName` is a Helm template function introduced in Helm v3. The function |
| is able to accept a hostname and return an IP address for that hostname. To get |
| the IP address the function performs a DNS lookup. The DNS lookup happens when |
| used with `helm install|upgrade|template` or when the Helm SDK is used to render |
| a chart. |
| |
| Information passed into the chart can be disclosed to the DNS servers used to |
| lookup the IP address. For example, a malicious chart could inject |
| `getHostByName` into a chart in order to disclose values to a malicious DNS |
| server. |
| cves: |
| - CVE-2023-25165 |
| ghsas: |
| - GHSA-pwcw-6f5g-gxf8 |
| credits: |
| - Philipp Stehle of SAP |
| references: |
| - advisory: https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8 |
| - fix: https://github.com/helm/helm/commit/293b50c65d4d56187cd4e2f390f0ada46b4c4737 |