CVE-2023-25165
Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.
EPSS 0.19% · 40.4th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | helm | 3.0.0 |
| Bitnami | helm | 3.0.0 |
Exploit Intelligence
Timeline
- Feb 8, 2023 CVE Published
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 21, 2023 EPSS Score
- Apr 30, 2023 EPSS Score
- Jun 9, 2023 EPSS Score
- Aug 27, 2023 EPSS Score
- Oct 6, 2023 EPSS Score
- Nov 15, 2023 EPSS Score
- Dec 25, 2023 EPSS Score
- Feb 3, 2024 EPSS Score
- Mar 14, 2024 EPSS Score