{"id":"GO-2023-1547","summary":"Information disclosure in helm.sh/helm/v3","details":"An information disclosure vulnerability exists in the getHostByName template function.\n\nThe function getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with \"helm install|upgrade|template\" or when the Helm SDK is used to render a chart.\n\nInformation passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server.","aliases":["BIT-helm-2023-25165","CVE-2023-25165","GHSA-pwcw-6f5g-gxf8"],"modified":"2026-02-04T04:24:25.402649Z","published":"2023-02-14T15:53:55Z","related":["CGA-gm8w-h288-pqj4"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-1547"},"references":[{"type":"ADVISORY","url":"https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8"},{"type":"FIX","url":"https://github.com/helm/helm/commit/293b50c65d4d56187cd4e2f390f0ada46b4c4737"}],"affected":[{"package":{"name":"helm.sh/helm/v3","ecosystem":"Go","purl":"pkg:golang/helm.sh/helm/v3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.11.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["addInstallFlags","main","newUpgradeCmd"],"path":"helm.sh/helm/v3/cmd/helm"},{"symbols":["Configuration.renderResources","Install.Run","Install.RunWithContext","Lint.Run","Upgrade.Run","Upgrade.RunWithContext","Upgrade.prepareUpgrade"],"path":"helm.sh/helm/v3/pkg/action"},{"symbols":["Engine.Render","Engine.initFunMap","Render","RenderWithClient"],"path":"helm.sh/helm/v3/pkg/engine"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1547.json"}}],"schema_version":"1.7.3","credits":[{"name":"Philipp Stehle of SAP"}]}