What is CVE-2023-25165?

CVE-2023-25165 is a vulnerability found in the helm package that allows remote attackers to perform DNS lookups.

What is the severity level of CVE-2023-25165?

The severity level of CVE-2023-25165 is medium, with a severity value of 4.

How does the getHostByName function in the helm package work?

The getHostByName function in the helm package accepts a hostname and performs a DNS lookup to return the corresponding IP address.

Which version of Helm is affected by CVE-2023-25165?

Helm version 3.11.1 is affected by CVE-2023-25165.

How can I fix the vulnerability CVE-2023-25165 in Helm?

To fix the vulnerability CVE-2023-25165, update Helm to version 3.11.1.

Vulnerability/
CVE-2023-25165

medium

4.3

CWE

200

8/2/2023

2/8/2024

CVE-2023-25165: getHostByName Function Information Disclosure

First published: Wed Feb 08 2023(Updated: )

A flaw was found in the helm package. The 'getHostByName' is a Helm template function introduced in Helm v3 and can accept a hostname and return an IP address for that hostname. To get the IP address, the function performs a DNS lookup. The DNS lookup happens when used with 'helm install|upgrade|template' or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to look up the IP address. For example, a malicious chart could inject getHostByName into a chart to disclose values to a malicious DNS server.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Helm Helm	>=3.0.0<3.11.1

Remedy

https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

RHSA-2023:1326

Frequently Asked Questions

What is CVE-2023-25165?
CVE-2023-25165 is a vulnerability found in the helm package that allows remote attackers to perform DNS lookups.
What is the severity level of CVE-2023-25165?
The severity level of CVE-2023-25165 is medium, with a severity value of 4.
How does the getHostByName function in the helm package work?
The getHostByName function in the helm package accepts a hostname and performs a DNS lookup to return the corresponding IP address.
Which version of Helm is affected by CVE-2023-25165?
Helm version 3.11.1 is affected by CVE-2023-25165.
How can I fix the vulnerability CVE-2023-25165 in Helm?
To fix the vulnerability CVE-2023-25165, update Helm to version 3.11.1.

collector/redhat-cve
collector/nvd-index
agent/first-publish-date
agent/type
agent/softwarecombine
agent/author
agent/severity
agent/remedy
agent/weakness
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-25165
agent/software-canonical-lookup
agent/references
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/tags
agent/event
vendor/helm
canonical/helm helm
version/helm helm/3.0.0
package-manager/redhat

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.