Bug ID 1208091
Summary VUL-0: CVE-2023-25165: trivy: helm: getHostByName Function Information Disclosure
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
URL https://smash.suse.de/issue/356535/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee dmueller@suse.com
Reporter thomas.leroy@suse.com
QA Contact qa-bugs@suse.de
Blocks 1208083
Found By Security Response Team
Blocker ---

+++ This bug was initially created as a clone of Bug #1208083 +++

CVE-2023-25165

Helm is a tool that streamlines installing and managing Kubernetes
applications.`getHostByName` is a Helm template function introduced in Helm v3.
The function is able to accept a hostname and return an IP address for that
hostname. To get the IP address the function performs a DNS lookup. The DNS
lookup happens when used with `helm install|upgrade|template` or when the Helm
SDK is used to render a chart. Information passed into the chart can be
disclosed to the DNS servers used to lookup the IP address. For example, a
malicious chart could inject `getHostByName` into a chart in order to disclose
values to a malicious DNS server. The issue has been fixed in Helm 3.11.1.
Prior
to using a chart with Helm verify the `getHostByName` function is not being
used
in a template to disclose any information you do not want passed to DNS
servers.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25165
https://bugzilla.redhat.com/show_bug.cgi?id=2168458
https://www.cve.org/CVERecord?id=CVE-2023-25165
https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2
https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8


You are receiving this mail because: