getHostByName Function Information Disclosure
Description
Helm is a tool that streamlines installing and managing Kubernetes applications.getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with helm install|upgrade|template or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the getHostByName function is not being used in a template to disclose any information you do not want passed to DNS servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
helm.sh/helm/v3Go | >= 3.0.0, < 3.11.1 | 3.11.1 |
Affected products
29- osv-coords28 versionspkg:apk/chainguard/flux-helm-controller-0.37pkg:apk/chainguard/helmpkg:apk/chainguard/helm-3pkg:apk/chainguard/helm-4pkg:apk/wolfi/helmpkg:apk/wolfi/helm-3pkg:apk/wolfi/helm-4pkg:bitnami/helmpkg:golang/helm.sh/helm/v3pkg:rpm/opensuse/cilium-cli&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helm3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helm&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/helm&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helmfile&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/k9s&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nova&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/pluto&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/terraform-provider-helm&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/terraform-provider-helm&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/trivy&distro=openSUSE%20Tumbleweedpkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/terraform-provider-helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP1pkg:rpm/suse/terraform-provider-helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP2pkg:rpm/suse/terraform-provider-helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP3pkg:rpm/suse/terraform-provider-helm&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP4
< 0.27.0-r7+ 27 more
- (no CPE)range: < 0.27.0-r7
- (no CPE)range: < 3.11.1-r0
- (no CPE)range: < 3.19.2-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 3.11.1-r0
- (no CPE)range: < 3.19.2-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: >= 3.0.0, < 3.11.1
- (no CPE)range: >= 3.0.0, < 3.11.1
- (no CPE)range: < 0.12.13-1.1
- (no CPE)range: < 3.19.2-1.1
- (no CPE)range: < 3.11.1-150000.1.16.1
- (no CPE)range: < 3.11.1-1.1
- (no CPE)range: < 0.150.0-2.1
- (no CPE)range: < 0.27.3-1.1
- (no CPE)range: < 3.6.1-1.1
- (no CPE)range: < 5.13.3-1.1
- (no CPE)range: < 2.9.0-150200.6.8.1
- (no CPE)range: < 2.9.0-1.1
- (no CPE)range: < 0.37.3-bp154.2.9.1
- (no CPE)range: < 0.37.3-1.1
- (no CPE)range: < 3.11.1-150000.1.16.1
- (no CPE)range: < 3.11.1-150000.1.16.1
- (no CPE)range: < 2.9.0-150100.3.6.3
- (no CPE)range: < 2.9.0-150200.6.8.1
- (no CPE)range: < 2.9.0-150200.6.8.1
- (no CPE)range: < 2.9.0-150200.6.8.1
- (no CPE)range: < 0.37.3-bp154.2.9.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-pwcw-6f5g-gxf8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-25165ghsaADVISORY
- github.com/helm/helm/commit/293b50c65d4d56187cd4e2f390f0ada46b4c4737ghsaWEB
- github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2ghsax_refsource_MISCWEB
- github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2023-1547ghsaWEB
News mentions
0No linked articles in our index yet.