Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2020-11013

Published: 24 April 2020

Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. `lookup` is a Helm template function introduced in Helm v3. It is able to lookup resources in the cluster to check for the existence of specific resources and get details about them. This can be used as part of the process to render templates. The documented behavior of `helm template` states that it does not attach to a remote cluster. However, a the recently added `lookup` template function circumvents this restriction and connects to the cluster even during `helm template` and `helm install|update|delete|rollback --dry-run`. The user is not notified of this behavior. Running `helm template` should not make calls to a cluster. This is different from `install`, which is presumed to have access to a cluster in order to load resources into Kubernetes. Helm 2 is unaffected by this vulnerability. A malicious chart author could inject a `lookup` into a chart that, when rendered through `helm template`, performs unannounced lookups against the cluster a user's `KUBECONFIG` file points to. This information can then be disclosed via the output of `helm template`. This issue has been fixed in Helm 3.2.0

Priority

Low

Cvss 3 Severity Score

5.0

Score breakdown

Status

Package Release Status
helm
Launchpad, Ubuntu, Debian
groovy Ignored
(end of life)
bionic Needs triage

hirsute Ignored
(end of life)
xenial Needs triage

jammy Needs triage

kinetic Ignored
(end of life, was needs-triage)
eoan Ignored
(end of life)
focal Needs triage

impish Ignored
(end of life)
trusty Does not exist

upstream Needs triage

mantic Needs triage

lunar Ignored
(end of life, was needs-triage)

Severity score breakdown

Parameter Value
Base score 5.0
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Changed
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N