Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-25165 (GCVE-0-2023-25165)
Vulnerability from cvelistv5 – Published: 2023-02-08 19:07 – Updated: 2025-03-10 21:15
VLAI?
EPSS
Title
getHostByName Function Information Disclosure
Summary
Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/helm/helm/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/helm/helm/commit/5abcf74227bfe… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:35.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8"
},
{
"name": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25165",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:01:09.151862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:15:03.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "helm",
"vendor": "helm",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-08T19:07:14.089Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8"
},
{
"name": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2"
}
],
"source": {
"advisory": "GHSA-pwcw-6f5g-gxf8",
"discovery": "UNKNOWN"
},
"title": "getHostByName Function Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25165",
"datePublished": "2023-02-08T19:07:14.089Z",
"dateReserved": "2023-02-03T16:59:18.246Z",
"dateUpdated": "2025-03-10T21:15:03.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-25165",
"date": "2026-05-19",
"epss": "0.00187",
"percentile": "0.40217"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.0.0\", \"versionEndExcluding\": \"3.11.1\", \"matchCriteriaId\": \"52B3342E-F1D8-46B9-91C1-192092207FFA\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.\"}]",
"id": "CVE-2023-25165",
"lastModified": "2024-11-21T07:49:14.133",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
"published": "2023-02-08T20:15:24.937",
"references": "[{\"url\": \"https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-25165\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-02-08T20:15:24.937\",\"lastModified\":\"2024-11-21T07:49:14.133\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.11.1\",\"matchCriteriaId\":\"52B3342E-F1D8-46B9-91C1-192092207FFA\"}]}]}],\"references\":[{\"url\":\"https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8\", \"name\": \"https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2\", \"name\": \"https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:18:35.855Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-25165\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T21:01:09.151862Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T21:01:10.455Z\"}}], \"cna\": {\"title\": \"getHostByName Function Information Disclosure\", \"source\": {\"advisory\": \"GHSA-pwcw-6f5g-gxf8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"helm\", \"product\": \"helm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.11.1\"}]}], \"references\": [{\"url\": \"https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8\", \"name\": \"https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2\", \"name\": \"https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-02-08T19:07:14.089Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-25165\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-10T21:15:03.873Z\", \"dateReserved\": \"2023-02-03T16:59:18.246Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-02-08T19:07:14.089Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CERTFR-2023-AVI-0504
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Spectrum | IBM Spectrum Protect Backup-Archive Client versions 8.1.x antérieures à 8.1.19.0 | ||
| IBM | Db2 | Db2 Graph versions 1.0.0.592 à 1.0.0.1690 sans le dernier correctif de sécurité | ||
| IBM | N/A | IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions antérieures à 4.7 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Protect Backup-Archive Client versions 8.1.x ant\u00e9rieures \u00e0 8.1.19.0",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 Graph versions 1.0.0.592 \u00e0 1.0.0.1690 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions ant\u00e9rieures \u00e0 4.7",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-43927",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43927"
},
{
"name": "CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"name": "CVE-2022-33980",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33980"
},
{
"name": "CVE-2023-27555",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27555"
},
{
"name": "CVE-2023-25165",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25165"
},
{
"name": "CVE-2022-41725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
},
{
"name": "CVE-2023-23936",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23936"
},
{
"name": "CVE-2019-18634",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-18634"
},
{
"name": "CVE-2023-24807",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24807"
},
{
"name": "CVE-2023-28956",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28956"
},
{
"name": "CVE-2023-29257",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29257"
},
{
"name": "CVE-2019-19232",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19232"
},
{
"name": "CVE-2023-26021",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26021"
},
{
"name": "CVE-2022-37865",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37865"
},
{
"name": "CVE-2023-23920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23920"
},
{
"name": "CVE-2022-41716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41716"
},
{
"name": "CVE-2019-10743",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10743"
},
{
"name": "CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"name": "CVE-2023-23918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
},
{
"name": "CVE-2022-37866",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37866"
},
{
"name": "CVE-2020-8244",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8244"
},
{
"name": "CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"name": "CVE-2023-24539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24539"
},
{
"name": "CVE-2014-3577",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3577"
},
{
"name": "CVE-2022-41915",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41915"
},
{
"name": "CVE-2023-24532",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24532"
},
{
"name": "CVE-2021-3156",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3156"
},
{
"name": "CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"name": "CVE-2022-41721",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41721"
},
{
"name": "CVE-2023-29400",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29400"
},
{
"name": "CVE-2022-25881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
},
{
"name": "CVE-2022-43548",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
},
{
"name": "CVE-2023-25930",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25930"
},
{
"name": "CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"name": "CVE-2022-41724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
},
{
"name": "CVE-2023-23919",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23919"
},
{
"name": "CVE-2023-29255",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29255"
},
{
"name": "CVE-2023-24540",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24540"
},
{
"name": "CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"name": "CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"name": "CVE-2023-24537",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24537"
},
{
"name": "CVE-2022-38752",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
},
{
"name": "CVE-2022-43930",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43930"
},
{
"name": "CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"name": "CVE-2023-27559",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27559"
},
{
"name": "CVE-2022-43929",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43929"
},
{
"name": "CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"name": "CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"name": "CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"name": "CVE-2019-19234",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19234"
},
{
"name": "CVE-2023-26022",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26022"
},
{
"name": "CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0504",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-06-30T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7008449 du 29 juin 2023",
"url": "https://www.ibm.com/support/pages/node/7008449"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6998815 du 28 juin 2023",
"url": "https://www.ibm.com/support/pages/node/6998815"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7005519 du 26 juin 2023",
"url": "https://www.ibm.com/support/pages/node/7005519"
}
]
}
CERTFR-2023-AVI-0504
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Spectrum | IBM Spectrum Protect Backup-Archive Client versions 8.1.x antérieures à 8.1.19.0 | ||
| IBM | Db2 | Db2 Graph versions 1.0.0.592 à 1.0.0.1690 sans le dernier correctif de sécurité | ||
| IBM | N/A | IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions antérieures à 4.7 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Protect Backup-Archive Client versions 8.1.x ant\u00e9rieures \u00e0 8.1.19.0",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 Graph versions 1.0.0.592 \u00e0 1.0.0.1690 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions ant\u00e9rieures \u00e0 4.7",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-43927",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43927"
},
{
"name": "CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"name": "CVE-2022-33980",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33980"
},
{
"name": "CVE-2023-27555",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27555"
},
{
"name": "CVE-2023-25165",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25165"
},
{
"name": "CVE-2022-41725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
},
{
"name": "CVE-2023-23936",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23936"
},
{
"name": "CVE-2019-18634",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-18634"
},
{
"name": "CVE-2023-24807",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24807"
},
{
"name": "CVE-2023-28956",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28956"
},
{
"name": "CVE-2023-29257",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29257"
},
{
"name": "CVE-2019-19232",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19232"
},
{
"name": "CVE-2023-26021",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26021"
},
{
"name": "CVE-2022-37865",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37865"
},
{
"name": "CVE-2023-23920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23920"
},
{
"name": "CVE-2022-41716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41716"
},
{
"name": "CVE-2019-10743",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10743"
},
{
"name": "CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"name": "CVE-2023-23918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
},
{
"name": "CVE-2022-37866",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37866"
},
{
"name": "CVE-2020-8244",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8244"
},
{
"name": "CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"name": "CVE-2023-24539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24539"
},
{
"name": "CVE-2014-3577",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3577"
},
{
"name": "CVE-2022-41915",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41915"
},
{
"name": "CVE-2023-24532",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24532"
},
{
"name": "CVE-2021-3156",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3156"
},
{
"name": "CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"name": "CVE-2022-41721",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41721"
},
{
"name": "CVE-2023-29400",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29400"
},
{
"name": "CVE-2022-25881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
},
{
"name": "CVE-2022-43548",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
},
{
"name": "CVE-2023-25930",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25930"
},
{
"name": "CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"name": "CVE-2022-41724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
},
{
"name": "CVE-2023-23919",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23919"
},
{
"name": "CVE-2023-29255",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29255"
},
{
"name": "CVE-2023-24540",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24540"
},
{
"name": "CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"name": "CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"name": "CVE-2023-24537",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24537"
},
{
"name": "CVE-2022-38752",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
},
{
"name": "CVE-2022-43930",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43930"
},
{
"name": "CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"name": "CVE-2023-27559",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27559"
},
{
"name": "CVE-2022-43929",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43929"
},
{
"name": "CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"name": "CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"name": "CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"name": "CVE-2019-19234",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19234"
},
{
"name": "CVE-2023-26022",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26022"
},
{
"name": "CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0504",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-06-30T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7008449 du 29 juin 2023",
"url": "https://www.ibm.com/support/pages/node/7008449"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6998815 du 28 juin 2023",
"url": "https://www.ibm.com/support/pages/node/6998815"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7005519 du 26 juin 2023",
"url": "https://www.ibm.com/support/pages/node/7005519"
}
]
}
bit-helm-2023-25165
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:53
Modified
2025-05-20 10:02
Summary
getHostByName Function Information Disclosure
Details
Helm is a tool that streamlines installing and managing Kubernetes applications.getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with helm install|upgrade|template or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the getHostByName function is not being used in a template to disclose any information you do not want passed to DNS servers.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "helm",
"purl": "pkg:bitnami/helm"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.11.1"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2023-25165"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.",
"id": "BIT-helm-2023-25165",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-03-06T10:53:11.303Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25165"
}
],
"schema_version": "1.5.0",
"summary": "getHostByName Function Information Disclosure"
}
FKIE_CVE-2023-25165
Vulnerability from fkie_nvd - Published: 2023-02-08 20:15 - Updated: 2024-11-21 07:49
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52B3342E-F1D8-46B9-91C1-192092207FFA",
"versionEndExcluding": "3.11.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers."
}
],
"id": "CVE-2023-25165",
"lastModified": "2024-11-21T07:49:14.133",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-08T20:15:24.937",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-PWCW-6F5G-GXF8
Vulnerability from github – Published: 2023-02-08 22:36 – Updated: 2023-02-08 22:36
VLAI?
Summary
Helm vulnerable to information disclosure via getHostByName Function
Details
A Helm contributor discovered an information disclosure vulnerability using the getHostByName template function.
Impact
getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with helm install|upgrade|template or when the Helm SDK is used to render a chart.
Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server.
Patches
The issue has been fixed in Helm 3.11.1.
Workarounds
Prior to using a chart with Helm verify the getHostByName function is not being used in a template to disclose any information you do not want passed to DNS servers.
For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Philipp Stehle at SAP.
Severity ?
4.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "helm.sh/helm/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-25165"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T22:36:51Z",
"nvd_published_at": "2023-02-08T20:15:00Z",
"severity": "MODERATE"
},
"details": "A Helm contributor discovered an information disclosure vulnerability using the `getHostByName` template function.\n\n### Impact\n\n`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart.\n\nInformation passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server.\n\n### Patches\n\nThe issue has been fixed in Helm 3.11.1.\n\n### Workarounds\n\nPrior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.\n\n### For more information\n\nHelm\u0027s security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document.\n\n### Credits\n\nDisclosed by Philipp Stehle at SAP.",
"id": "GHSA-pwcw-6f5g-gxf8",
"modified": "2023-02-08T22:36:51Z",
"published": "2023-02-08T22:36:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25165"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/commit/293b50c65d4d56187cd4e2f390f0ada46b4c4737"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2"
},
{
"type": "PACKAGE",
"url": "https://github.com/helm/helm"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2023-1547"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Helm vulnerable to information disclosure via getHostByName Function "
}
GSD-2023-25165
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-25165",
"id": "GSD-2023-25165",
"references": [
"https://www.suse.com/security/cve/CVE-2023-25165.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-25165"
],
"details": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.",
"id": "GSD-2023-25165",
"modified": "2023-12-13T01:20:40.661939Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-25165",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "helm",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003e= 3.0.0, \u003c 3.11.1"
}
]
}
}
]
},
"vendor_name": "helm"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-200",
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8",
"refsource": "MISC",
"url": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8"
},
{
"name": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2",
"refsource": "MISC",
"url": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2"
}
]
},
"source": {
"advisory": "GHSA-pwcw-6f5g-gxf8",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=v3.0.0 \u003cv3.11.1",
"affected_versions": "All versions starting from 3.0.0 before 3.11.1",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-937"
],
"date": "2023-02-08",
"description": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.",
"fixed_versions": [
"v3.11.1"
],
"identifier": "CVE-2023-25165",
"identifiers": [
"GHSA-pwcw-6f5g-gxf8",
"CVE-2023-25165"
],
"not_impacted": "All versions before 3.0.0, all versions starting from 3.11.1",
"package_slug": "go/helm.sh/helm/v3",
"pubdate": "2023-02-08",
"solution": "Upgrade to version 3.11.1 or above.",
"title": "Exposure of Sensitive Information to an Unauthorized Actor",
"urls": [
"https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8",
"https://nvd.nist.gov/vuln/detail/CVE-2023-25165",
"https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2",
"https://github.com/advisories/GHSA-pwcw-6f5g-gxf8"
],
"uuid": "8dd1a046-b771-4b43-bec2-a3fd6c20e26d",
"versions": []
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.11.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-25165"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2",
"refsource": "MISC",
"tags": [
"Patch"
],
"url": "https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2"
},
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8",
"refsource": "MISC",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4
}
},
"lastModifiedDate": "2023-02-16T20:10Z",
"publishedDate": "2023-02-08T20:15Z"
}
}
}
MSRC_CVE-2023-25165
Vulnerability from csaf_microsoft - Published: 2023-02-01 00:00 - Updated: 2024-09-11 00:00Summary
getHostByName Function Information Disclosure
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
4.3 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17972-16820 | — | ||
| Unresolved product id: 17973-17086 | — | ||
| Unresolved product id: 17974-17086 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2023/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2023/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2023-25165 getHostByName Function Information Disclosure - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-25165.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "getHostByName Function Information Disclosure",
"tracking": {
"current_release_date": "2024-09-11T00:00:00.000Z",
"generator": {
"date": "2025-10-20T00:15:36.638Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2023-25165",
"initial_release_date": "2023-02-01T00:00:00.000Z",
"revision_history": [
{
"date": "2023-02-17T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2023-02-13T00:00:00.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
},
{
"date": "2024-09-11T00:00:00.000Z",
"legacy_version": "1.2",
"number": "3",
"summary": "Information published."
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "CBL Mariner 1.0",
"product_id": "16820"
}
},
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccm1 helm 3.4.1-16",
"product": {
"name": "\u003ccm1 helm 3.4.1-16",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "cm1 helm 3.4.1-16",
"product": {
"name": "cm1 helm 3.4.1-16",
"product_id": "17972"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 helm 3.10.3-3",
"product": {
"name": "\u003ccbl2 helm 3.10.3-3",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "cbl2 helm 3.10.3-3",
"product": {
"name": "cbl2 helm 3.10.3-3",
"product_id": "17973"
}
}
],
"category": "product_name",
"name": "helm"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 cert-manager 1.7.3-8",
"product": {
"name": "\u003ccbl2 cert-manager 1.7.3-8",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cbl2 cert-manager 1.7.3-8",
"product": {
"name": "cbl2 cert-manager 1.7.3-8",
"product_id": "17974"
}
}
],
"category": "product_name",
"name": "cert-manager"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccm1 helm 3.4.1-16 as a component of CBL Mariner 1.0",
"product_id": "16820-3"
},
"product_reference": "3",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cm1 helm 3.4.1-16 as a component of CBL Mariner 1.0",
"product_id": "17972-16820"
},
"product_reference": "17972",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 helm 3.10.3-3 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 helm 3.10.3-3 as a component of CBL Mariner 2.0",
"product_id": "17973-17086"
},
"product_reference": "17973",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 cert-manager 1.7.3-8 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 cert-manager 1.7.3-8 as a component of CBL Mariner 2.0",
"product_id": "17974-17086"
},
"product_reference": "17974",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-25165",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"17972-16820",
"17973-17086",
"17974-17086"
],
"known_affected": [
"16820-3",
"17086-2",
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-25165 getHostByName Function Information Disclosure - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-25165.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-13T00:00:00.000Z",
"details": "3.4.1-16:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"16820-3"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-02-13T00:00:00.000Z",
"details": "3.10.3-3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-2"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-02-13T00:00:00.000Z",
"details": "1.7.3-8:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 4.3,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"16820-3",
"17086-2",
"17086-1"
]
}
],
"title": "getHostByName Function Information Disclosure"
}
]
}
OPENSUSE-SU-2023:0064-1
Vulnerability from csaf_opensuse - Published: 2023-03-05 19:03 - Updated: 2023-03-05 19:03Summary
Security update for trivy
Severity
Moderate
Notes
Title of the patch: Security update for trivy
Description of the patch: This update for trivy fixes the following issues:
Update to version 0.37.3 (boo#1208091, CVE-2023-25165):
* chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)
* ci: quote pros in c++ for semantic pr (#3605)
* fix(image): check proxy settings from env for remote images (#3604)
Update to version 0.37.2:
* BREAKING: use normalized trivy-java-db (#3583)
* fix(image): add timeout for remote images (#3582)
* fix(misconf): handle dot files better (#3550)
Update to version 0.37.1:
* fix(sbom): download the Java DB when generating SBOM (#3539)
* fix: use cgo free sqlite driver (#3521)
* ci: fix path to dist folder (#3527)
Update to version 0.37.0:
* fix(image): close layers (#3517)
* refactor: db client changed (#3515)
* feat(java): use trivy-java-db to get GAV (#3484)
* docs: add note about the limitation in Rekor (#3494)
* docs: aggregate targets (#3503)
* deps: updates wazero to 1.0.0-pre.8 (#3510)
* docs: add alma 9 and rocky 9 to supported os (#3513)
* chore: add missing target labels (#3504)
* docs: add java vulnerability page (#3429)
* feat(image): add support for Docker CIS Benchmark (#3496)
* feat(image): secret scanning on container image config (#3495)
* chore(deps): Upgrade defsec to v0.82.8 (#3488)
* feat(image): scan misconfigurations in image config (#3437)
* chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489)
* feat(k8s): add node info resource (#3482)
* perf(secret): optimize secret scanning memory usage (#3453)
* feat: support aliases in CLI flag, env and config (#3481)
* fix(k8s): migrate rbac k8s (#3459)
* feat(java): add implementationVendor and specificationVendor fields to detect GroupID from MANIFEST.MF (#3480)
* refactor: rename security-checks to scanners (#3467)
* chore: display the troubleshooting URL for the DB denial error (#3474)
* docs: yaml tabs to spaces, auto create namespace (#3469)
* docs: adding show-and-tell template to GH discussions (#3391)
* fix: Fix a temporary file leak in case of error (#3465)
* fix(test): sort cyclonedx components (#3468)
* docs: fixing spelling mistakes (#3462)
* ci: set paths triggering VM tests in PR (#3438)
* docs: typo in --skip-files (#3454)
* feat(custom-forward): Extended advisory data (#3444)
* docs: fix spelling error (#3436)
* refactor(image): extend image config analyzer (#3434)
* fix(nodejs): add ignore protocols to yarn parser (#3433)
* fix(db): check proxy settings when using insecure flag (#3435)
* feat(misconf): Fetch policies from OCI registry (#3015)
* ci: downgrade Go to 1.18 and use stable and oldstable go versions for unit tests (#3413)
* ci: store URLs to Github Releases in RPM repository (#3414)
* feat(server): add support of `skip-db-update` flag for hot db update (#3416)
* fix(image): handle wrong empty layer detection (#3375)
* test: fix integration tests for spdx and cycloneDX (#3412)
* feat(python): Include Conda packages in SBOMs (#3379)
* feat: add support pubspec.lock files for dart (#3344)
* fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326)
* fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405)
* feat(server): log errors on server side (#3397)
* docs: rewrite installation docs and general improvements (#3368)
* chore: update code owners (#3393)
* chore: test docs separately from code (#3392)
* docs: use the formula maintained by Homebrew (#3389)
* docs: add `Security Management` section with SonarQube plugin
Update to version 0.36.1:
* fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)
* feat(flag): early fail when the format is invalid (#3370)
* docs(aws): fix broken links (#3374)
Update to version 0.36.0:
* docs: improve compliance docs (#3340)
* feat(deps): add yarn lock dependency tree (#3348)
* fix: compliance change id and title naming (#3349)
* feat: add support for mix.lock files for elixir language (#3328)
* feat: add k8s cis bench (#3315)
* test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
* revert: cache merged layers (#3334)
* feat(cyclonedx): add recommendation (#3336)
* feat(ubuntu): added support ubuntu ESM versions (#1893)
* fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
* feat: Adding support for Windows testing (#3037)
* feat: add support for Alpine 3.17 (#3319)
* docs: change PodFile.lock to Podfile.lock (#3318)
* fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
* feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
* chore(go): remove experimental FS API usage in Wasm (#3299)
* ci: add workflow to add issues to roadmap project (#3292)
* fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
* feat(sbom): better support for third-party SBOMs (#3262)
* docs: add information about languages with support for dependency locations (#3306)
* feat(vm): add `region` option to vm scan to be able to scan any region's ami and ebs snapshots (#3284)
* fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
* docs: remove comparisons (#3289)
* feat: add support for Wolfi Linux (#3215)
* ci: add go.mod to canary workflow (#3288)
* feat(python): skip dev dependencies (#3282)
* chore: update ubuntu version for Github action runnners (#3257)
* fix(go): skip dep without Path for go-binaries (#3254)
* feat(rust): add ID for cargo pgks (#3256)
* feat: add support for swift cocoapods lock files (#2956)
* fix(sbom): use proper constants (#3286)
* test(vm): import relevant analyzers (#3285)
* feat: support scan remote repository (#3131)
* docs: fix typo in fluxcd (#3268)
* docs: fix broken 'ecosystem' link in readme (#3280)
* feat(misconf): Add compliance check support (#3130)
* docs: Adding Concourse resource for trivy (#3224)
* chore(deps): change golang from 1.19.2 to 1.19 (#3249)
* fix(sbom): duplicate dependson (#3261)
* chore(go): updates wazero to 1.0.0-pre.4 (#3242)
* feat(report): add dependency locations to sarif format (#3210)
* fix(rpm): add rocky to osVendors (#3241)
* docs: fix a typo (#3236)
* feat(dotnet): add dependency parsing for nuget lock files (#3222)
* docs: add pre-commit hook to community tools (#3203)
* feat(helm): pass arbitrary env vars to trivy (#3208)
Update to version 0.35.0:
* chore(vm): update xfs filesystem parser for change log (#3230)
* feat: add virtual machine scan command (#2910)
* docs: reorganize index and readme (#3026)
* fix: `slowSizeThreshold` should be less than `defaultSizeThreshold` (#3225)
* feat: Export functions for trivy plugin (#3204)
* feat(image): add support wildcard for platform os (#3196)
* fix: load compliance report from file system (#3161)
* fix(suse): use package name to get advisories (#3199)
* docs(image): space issues during image scan (#3190)
* feat(containerd): scan image by digest (#3075)
* fix(vuln): add package name to title (#3183)
* fix: present control status instead of compliance percentage in compliance report (#3181)
* perf(license): remove go-enry/go-license-detector. (#3187)
* fix: workdir command as empty layer (#3087)
* docs: reorganize ecosystem section (#3025)
* feat(dotnet): add support dependency location for dotnet-core files (#3095)
* feat(dotnet): add support dependency location for nuget lock files (#3032)
* chore: update code owners for misconfigurations (#3176)
* feat: add slow mode (#3084)
* docs: fix typo in enable-builin-rules mentions (#3118)
* feat: Add maintainer field to OS packages (#3149)
* docs: fix some typo (#3171)
* docs: fix links on Built-in Policies page (#3124)
* fix: Perform filepath.Clean first and then filepath.ToSlash for skipFile/skipDirs settings (#3144)
* chore: use newline for semantic pr (#3172)
* fix(spdx): rename describes field in spdx (#3102)
* chore: handle GOPATH with several paths in make file (#3092)
* docs(flag): add 'rego' configuration file options (#3165)
* chore(go): updates wazero to 1.0.0-pre.3 (#3090)
* docs(license): fix typo inside quick start (#3134)
* chore: update codeowners for docs (#3135)
* fix(cli): exclude --compliance flag from non supported sub-commands (#3158)
* fix: remove --security-checks none from image help (#3156)
* fix: compliance flag description (#3160)
* docs(k8s): fix a typo (#3163)
Update to version 0.34.0:
* feat(vuln): support dependency graph for RHEL/CentOS (#3094)
* feat(vuln): support dependency graph for dpkg and apk (#3093)
* perf(license): enable license classifier only with '--license-full' (#3086)
* feat(report): add secret scanning to ASFF template (#2860)
* feat: Allow override of containerd namespace (#3060)
* fix(vuln): In alpine use Name as SrcName (#3079)
* fix(secret): Alibaba AccessKey ID (#3083)
Update to version 0.33.0:
* refactor(k8s): custom reports (#3076)
* fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068)
* feat(image): add support for passing architecture and OS (#3012)
* test: disable containerd integration tests for non-amd64 arch (#3073)
* feat(server): Add support for client/server mode to rootfs command (#3021)
* feat(vuln): support non-packaged binaries (#3019)
* feat: compliance reports (#2951)
* fix(flag): disable flag parsing for each plugin command (#3074)
* feat(nodejs): add support dependency location for yarn.lock files (#3016)
* chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069)
* feat: add k8s components (#2589)
* fix(secret): update the regex for secrets scanning (#2964)
* fix: bump trivy-kubernetes (#3064)
* docs: fix missing 'image' subcommand (#3051)
* chore: Patch golang x/text vulnerability (#3046)
* chore: add licensed project logo (#3058)
* feat(ubuntu): set Ubuntu 22.10 EOL (#3054)
* refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028)
* feat(report): Use understandable value for shortDescription in SARIF reports (#3009)
* docs(misconf): fix typo (#3043)
* feat: add support for scanning azure ARM (#3011)
* feat(report): add location.message to SARIF output (#3002) (#3003)
* feat(nodejs): add dependency line numbers for npm lock files (#2932)
* test(fs): add `--skip-files`, `--skip-dirs` (#2984)
* docs: add Woodpecker CI integrations example (#2823)
* fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000)
* fix(java): don't stop parsing jar file when wrong inner jar is found (#2989)
* fix(sbom): use nuget purl type for dotnet-core (#2990)
* perf: retrieve rekor entries in bulk (#2987)
* feat(aws): Custom rego policies for AWS scanning (#2994)
* docs: jq cli formatting (#2881)
* docs(repo): troubleshooting $TMPDIR customization (#2985)
* chore: run `go fmt` (#2897)
* chore(go): updates wazero to 1.0.0-pre.2 (#2955)
* fix(aws): Less function for slice sorting always returns false #2967
* fix(java): fix unmarshal pom exclusions (#2936)
Update to version 0.32.1:
* fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)
* chore: expat lib and go binary deps vulns (#2940)
* wasm: Removes accidentally exported memory (#2950)
* fix(sbom): fix package name separation for gradle (#2906)
* docs(readme.md): fix broken integrations link (#2931)
* fix(image): handle images with single layer in rescan mergedLayers cache (#2927)
* fix(cli): split env values with ',' for slice flags (#2926)
* fix(cli): config/helm: also take into account files with `.yml` (#2928)
* fix(flag): add file-patterns flag for config subcommand (#2925)
Update to version 0.32.0:
* docs: add Rekor SBOM attestation scanning (#2893)
* chore: narrow the owner scope (#2894)
* fix: remove a patch number from the recommendation link (#2891)
* fix: enable parsing of UUID-only rekor entry ID (#2887)
* docs(sbom): add SPDX scanning (#2885)
* docs: restructure docs and add tutorials (#2883)
* feat(sbom): scan sbom attestation in the rekor record (#2699)
* feat(k8s): support outdated-api (#2877)
* fix(c): support revisions in Conan parser (#2878)
* feat: dynamic links support for scan results (#2838)
* docs: update archlinux commands (#2876)
* feat(secret): add line from dockerfile where secret was added to secret result (#2780)
* feat(sbom): Add unmarshal for spdx (#2868)
* fix: revert asff arn and add documentation (#2852)
* docs: batch-import-findings limit (#2851)
* feat(sbom): Add marshal for spdx (#2867)
* build: checkout before setting up Go (#2873)
* docs: azure doc and trivy (#2869)
* fix: Scan tarr'd dependencies (#2857)
* chore(helm): helm test with ingress (#2630)
* feat(report): add secrets to sarif format (#2820)
* refactor: add a new interface for initializing analyzers (#2835)
* fix: update ProductArn with account id (#2782)
* feat(helm): make cache TTL configurable (#2798)
* build(): Sign releaser artifacts, not only container manifests (#2789)
* chore: improve doc about azure devops (#2795)
* docs: don't push patch versions (#2824)
* feat: add support for conan.lock file (#2779)
* feat: cache merged layers
* feat: add support for gradle.lockfile (#2759)
* feat: move file patterns to a global level to be able to use it on any analyzer (#2539)
* Fix url validaton failures (#2783)
* fix(image): add logic to detect empty layers (#2790)
* feat(rust): add dependency graph from Rust binaries (#2771)
Update to version 0.31.3:
* fix: handle empty OS family (#2768)
* fix: fix k8s summary report (#2777)
* fix: don't skip packages that don't contain vulns, when using --list-all-pkgs flag (#2767)
* chore: bump trivy-kubernetes (#2770)
* fix(secret): Consider secrets in rpc calls (#2753)
* fix(java): check depManagement from upper pom's (#2747)
* fix(php): skip `composer.lock` inside `vendor` folder (#2718)
* fix: fix k8s rbac filter (#2765)
* feat(misconf): skipping misconfigurations by AVD ID (#2743)
* chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741)
* docs: add MacPorts install instructions (#2727)
* docs: typo (#2730)
Update to version 0.31.2:
* fix: Correctly handle recoverable AWS scanning errors (#2726)
* docs: Remove reference to SecurityAudit policy for AWS scanning (#2721)
Update to version 0.31.1:
* fix: upgrade defsec to v0.71.7 for elb scan panic (#2720)
Update to version 0.31.0:
* fix(flag): add error when there are no supported security checks (#2713)
* fix(vuln): continue scanning when no vuln found in the first application (#2712)
* revert: add new classes for vulnerabilities (#2701)
* feat(secret): detect secrets removed or overwritten in upper layer (#2611)
* fix(cli): secret scanning perf link fix (#2607)
* chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650)
* feat: Add AWS Cloud scanning (#2493)
* docs: specify the type when verifying an attestation (#2697)
* docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690)
* fix(rpc): scanResponse rpc conversion for custom resources (#2692)
* feat(rust): Add support for cargo-auditable (#2675)
* feat: Support passing value overrides for configuration checks (#2679)
* feat(sbom): add support for scanning a sbom attestation (#2652)
* chore(image): skip symlinks and hardlinks from tar scan (#2634)
* fix(report): Update junit.tpl (#2677)
* fix(cyclonedx): add nil check to metadata.component (#2673)
* docs(secret): fix missing and broken links (#2674)
* refactor(cyclonedx): implement json.Unmarshaler (#2662)
* feat(kubernetes): add option to specify kubeconfig file path (#2576)
* docs: follow Debian's 'instructions to connect to a third-party repository' (#2511)
* feat(alma): set AlmaLinux 9 EOL (#2653)
* fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636)
* test(misconf): add tests for misconf handler for dockerfiles (#2621)
* feat(oracle): set Oracle Linux 9 EOL (#2635)
* BREAKING: add new classes for vulnerabilities (#2541)
* fix(secret): add newline escaping for asymmetric private key (#2532)
* docs: improve formatting (#2572)
* feat(helm): allows users to define an existing secret for tokens (#2587)
* docs(mariner): use tdnf in fs usage example (#2616)
* docs: remove unnecessary double quotation marks (#2609)
* fix: Fix --file-patterns flag (#2625)
* feat(report): add support for Cosign vulnerability attestation (#2567)
* docs(mariner): use v2.0 in examples (#2602)
* feat(report): add secrets template for codequality report (#2461)
Patchnames: openSUSE-2023-64
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.3 (Medium)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for trivy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for trivy fixes the following issues:\n\nUpdate to version 0.37.3 (boo#1208091, CVE-2023-25165):\n\n* chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)\n* ci: quote pros in c++ for semantic pr (#3605)\n* fix(image): check proxy settings from env for remote images (#3604)\n\nUpdate to version 0.37.2:\n\n* BREAKING: use normalized trivy-java-db (#3583)\n* fix(image): add timeout for remote images (#3582)\n* fix(misconf): handle dot files better (#3550)\n\nUpdate to version 0.37.1:\n\n* fix(sbom): download the Java DB when generating SBOM (#3539)\n* fix: use cgo free sqlite driver (#3521)\n* ci: fix path to dist folder (#3527)\n\nUpdate to version 0.37.0:\n\n* fix(image): close layers (#3517)\n* refactor: db client changed (#3515)\n* feat(java): use trivy-java-db to get GAV (#3484)\n* docs: add note about the limitation in Rekor (#3494)\n* docs: aggregate targets (#3503)\n* deps: updates wazero to 1.0.0-pre.8 (#3510)\n* docs: add alma 9 and rocky 9 to supported os (#3513)\n* chore: add missing target labels (#3504)\n* docs: add java vulnerability page (#3429)\n* feat(image): add support for Docker CIS Benchmark (#3496)\n* feat(image): secret scanning on container image config (#3495)\n* chore(deps): Upgrade defsec to v0.82.8 (#3488)\n* feat(image): scan misconfigurations in image config (#3437)\n* chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489)\n* feat(k8s): add node info resource (#3482)\n* perf(secret): optimize secret scanning memory usage (#3453)\n* feat: support aliases in CLI flag, env and config (#3481)\n* fix(k8s): migrate rbac k8s (#3459)\n* feat(java): add implementationVendor and specificationVendor fields to detect GroupID from MANIFEST.MF (#3480)\n* refactor: rename security-checks to scanners (#3467)\n* chore: display the troubleshooting URL for the DB denial error (#3474)\n* docs: yaml tabs to spaces, auto create namespace (#3469)\n* docs: adding show-and-tell template to GH discussions (#3391)\n* fix: Fix a temporary file leak in case of error (#3465)\n* fix(test): sort cyclonedx components (#3468)\n* docs: fixing spelling mistakes (#3462)\n* ci: set paths triggering VM tests in PR (#3438)\n* docs: typo in --skip-files (#3454)\n* feat(custom-forward): Extended advisory data (#3444)\n* docs: fix spelling error (#3436)\n* refactor(image): extend image config analyzer (#3434)\n* fix(nodejs): add ignore protocols to yarn parser (#3433)\n* fix(db): check proxy settings when using insecure flag (#3435)\n* feat(misconf): Fetch policies from OCI registry (#3015)\n* ci: downgrade Go to 1.18 and use stable and oldstable go versions for unit tests (#3413)\n* ci: store URLs to Github Releases in RPM repository (#3414)\n* feat(server): add support of `skip-db-update` flag for hot db update (#3416)\n* fix(image): handle wrong empty layer detection (#3375)\n* test: fix integration tests for spdx and cycloneDX (#3412)\n* feat(python): Include Conda packages in SBOMs (#3379)\n* feat: add support pubspec.lock files for dart (#3344)\n* fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326)\n* fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405)\n* feat(server): log errors on server side (#3397)\n* docs: rewrite installation docs and general improvements (#3368)\n* chore: update code owners (#3393)\n* chore: test docs separately from code (#3392)\n* docs: use the formula maintained by Homebrew (#3389)\n* docs: add `Security Management` section with SonarQube plugin\n\nUpdate to version 0.36.1:\n\n* fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)\n* feat(flag): early fail when the format is invalid (#3370)\n* docs(aws): fix broken links (#3374)\n\nUpdate to version 0.36.0:\n\n* docs: improve compliance docs (#3340)\n* feat(deps): add yarn lock dependency tree (#3348)\n* fix: compliance change id and title naming (#3349)\n* feat: add support for mix.lock files for elixir language (#3328)\n* feat: add k8s cis bench (#3315)\n* test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)\n* revert: cache merged layers (#3334)\n* feat(cyclonedx): add recommendation (#3336)\n* feat(ubuntu): added support ubuntu ESM versions (#1893)\n* fix: change logic to build relative paths for skip-dirs and skip-files (#3331)\n* feat: Adding support for Windows testing (#3037)\n* feat: add support for Alpine 3.17 (#3319)\n* docs: change PodFile.lock to Podfile.lock (#3318)\n* fix(sbom): support for the detection of old CycloneDX predicate type (#3316)\n* feat(secret): Use .trivyignore for filtering secret scanning result (#3312)\n* chore(go): remove experimental FS API usage in Wasm (#3299)\n* ci: add workflow to add issues to roadmap project (#3292)\n* fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)\n* feat(sbom): better support for third-party SBOMs (#3262)\n* docs: add information about languages with support for dependency locations (#3306)\n* feat(vm): add `region` option to vm scan to be able to scan any region\u0027s ami and ebs snapshots (#3284)\n* fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)\n* docs: remove comparisons (#3289)\n* feat: add support for Wolfi Linux (#3215)\n* ci: add go.mod to canary workflow (#3288)\n* feat(python): skip dev dependencies (#3282)\n* chore: update ubuntu version for Github action runnners (#3257)\n* fix(go): skip dep without Path for go-binaries (#3254)\n* feat(rust): add ID for cargo pgks (#3256)\n* feat: add support for swift cocoapods lock files (#2956)\n* fix(sbom): use proper constants (#3286)\n* test(vm): import relevant analyzers (#3285)\n* feat: support scan remote repository (#3131)\n* docs: fix typo in fluxcd (#3268)\n* docs: fix broken \u0027ecosystem\u0027 link in readme (#3280)\n* feat(misconf): Add compliance check support (#3130)\n* docs: Adding Concourse resource for trivy (#3224)\n* chore(deps): change golang from 1.19.2 to 1.19 (#3249)\n* fix(sbom): duplicate dependson (#3261)\n* chore(go): updates wazero to 1.0.0-pre.4 (#3242)\n* feat(report): add dependency locations to sarif format (#3210)\n* fix(rpm): add rocky to osVendors (#3241)\n* docs: fix a typo (#3236)\n* feat(dotnet): add dependency parsing for nuget lock files (#3222)\n* docs: add pre-commit hook to community tools (#3203)\n* feat(helm): pass arbitrary env vars to trivy (#3208)\n\nUpdate to version 0.35.0:\n\n* chore(vm): update xfs filesystem parser for change log (#3230)\n* feat: add virtual machine scan command (#2910)\n* docs: reorganize index and readme (#3026)\n* fix: `slowSizeThreshold` should be less than `defaultSizeThreshold` (#3225)\n* feat: Export functions for trivy plugin (#3204)\n* feat(image): add support wildcard for platform os (#3196)\n* fix: load compliance report from file system (#3161)\n* fix(suse): use package name to get advisories (#3199)\n* docs(image): space issues during image scan (#3190)\n* feat(containerd): scan image by digest (#3075)\n* fix(vuln): add package name to title (#3183)\n* fix: present control status instead of compliance percentage in compliance report (#3181)\n* perf(license): remove go-enry/go-license-detector. (#3187)\n* fix: workdir command as empty layer (#3087)\n* docs: reorganize ecosystem section (#3025)\n* feat(dotnet): add support dependency location for dotnet-core files (#3095)\n* feat(dotnet): add support dependency location for nuget lock files (#3032)\n* chore: update code owners for misconfigurations (#3176)\n* feat: add slow mode (#3084)\n* docs: fix typo in enable-builin-rules mentions (#3118)\n* feat: Add maintainer field to OS packages (#3149)\n* docs: fix some typo (#3171)\n* docs: fix links on Built-in Policies page (#3124)\n* fix: Perform filepath.Clean first and then filepath.ToSlash for skipFile/skipDirs settings (#3144)\n* chore: use newline for semantic pr (#3172)\n* fix(spdx): rename describes field in spdx (#3102)\n* chore: handle GOPATH with several paths in make file (#3092)\n* docs(flag): add \u0027rego\u0027 configuration file options (#3165)\n* chore(go): updates wazero to 1.0.0-pre.3 (#3090)\n* docs(license): fix typo inside quick start (#3134)\n* chore: update codeowners for docs (#3135)\n* fix(cli): exclude --compliance flag from non supported sub-commands (#3158)\n* fix: remove --security-checks none from image help (#3156)\n* fix: compliance flag description (#3160)\n* docs(k8s): fix a typo (#3163)\n\nUpdate to version 0.34.0:\n\n* feat(vuln): support dependency graph for RHEL/CentOS (#3094)\n* feat(vuln): support dependency graph for dpkg and apk (#3093)\n* perf(license): enable license classifier only with \u0027--license-full\u0027 (#3086)\n* feat(report): add secret scanning to ASFF template (#2860)\n* feat: Allow override of containerd namespace (#3060)\n* fix(vuln): In alpine use Name as SrcName (#3079)\n* fix(secret): Alibaba AccessKey ID (#3083)\n\nUpdate to version 0.33.0:\n\n* refactor(k8s): custom reports (#3076)\n* fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068)\n* feat(image): add support for passing architecture and OS (#3012)\n* test: disable containerd integration tests for non-amd64 arch (#3073)\n* feat(server): Add support for client/server mode to rootfs command (#3021)\n* feat(vuln): support non-packaged binaries (#3019)\n* feat: compliance reports (#2951)\n* fix(flag): disable flag parsing for each plugin command (#3074)\n* feat(nodejs): add support dependency location for yarn.lock files (#3016)\n* chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069)\n* feat: add k8s components (#2589)\n* fix(secret): update the regex for secrets scanning (#2964)\n* fix: bump trivy-kubernetes (#3064)\n* docs: fix missing \u0027image\u0027 subcommand (#3051)\n* chore: Patch golang x/text vulnerability (#3046)\n* chore: add licensed project logo (#3058)\n* feat(ubuntu): set Ubuntu 22.10 EOL (#3054)\n* refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028)\n* feat(report): Use understandable value for shortDescription in SARIF reports (#3009)\n* docs(misconf): fix typo (#3043)\n* feat: add support for scanning azure ARM (#3011)\n* feat(report): add location.message to SARIF output (#3002) (#3003)\n* feat(nodejs): add dependency line numbers for npm lock files (#2932)\n* test(fs): add `--skip-files`, `--skip-dirs` (#2984)\n* docs: add Woodpecker CI integrations example (#2823)\n* fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000)\n* fix(java): don\u0027t stop parsing jar file when wrong inner jar is found (#2989)\n* fix(sbom): use nuget purl type for dotnet-core (#2990)\n* perf: retrieve rekor entries in bulk (#2987)\n* feat(aws): Custom rego policies for AWS scanning (#2994)\n* docs: jq cli formatting (#2881)\n* docs(repo): troubleshooting $TMPDIR customization (#2985)\n* chore: run `go fmt` (#2897)\n* chore(go): updates wazero to 1.0.0-pre.2 (#2955)\n* fix(aws): Less function for slice sorting always returns false #2967\n* fix(java): fix unmarshal pom exclusions (#2936)\n\nUpdate to version 0.32.1:\n\n* fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)\n* chore: expat lib and go binary deps vulns (#2940)\n* wasm: Removes accidentally exported memory (#2950)\n* fix(sbom): fix package name separation for gradle (#2906)\n* docs(readme.md): fix broken integrations link (#2931)\n* fix(image): handle images with single layer in rescan mergedLayers cache (#2927)\n* fix(cli): split env values with \u0027,\u0027 for slice flags (#2926)\n* fix(cli): config/helm: also take into account files with `.yml` (#2928)\n* fix(flag): add file-patterns flag for config subcommand (#2925)\n\nUpdate to version 0.32.0:\n\n* docs: add Rekor SBOM attestation scanning (#2893)\n* chore: narrow the owner scope (#2894)\n* fix: remove a patch number from the recommendation link (#2891)\n* fix: enable parsing of UUID-only rekor entry ID (#2887)\n* docs(sbom): add SPDX scanning (#2885)\n* docs: restructure docs and add tutorials (#2883)\n* feat(sbom): scan sbom attestation in the rekor record (#2699)\n* feat(k8s): support outdated-api (#2877)\n* fix(c): support revisions in Conan parser (#2878)\n* feat: dynamic links support for scan results (#2838)\n* docs: update archlinux commands (#2876)\n* feat(secret): add line from dockerfile where secret was added to secret result (#2780)\n* feat(sbom): Add unmarshal for spdx (#2868)\n* fix: revert asff arn and add documentation (#2852)\n* docs: batch-import-findings limit (#2851)\n* feat(sbom): Add marshal for spdx (#2867)\n* build: checkout before setting up Go (#2873)\n* docs: azure doc and trivy (#2869)\n* fix: Scan tarr\u0027d dependencies (#2857)\n* chore(helm): helm test with ingress (#2630)\n* feat(report): add secrets to sarif format (#2820)\n* refactor: add a new interface for initializing analyzers (#2835)\n* fix: update ProductArn with account id (#2782)\n* feat(helm): make cache TTL configurable (#2798)\n* build(): Sign releaser artifacts, not only container manifests (#2789)\n* chore: improve doc about azure devops (#2795)\n* docs: don\u0027t push patch versions (#2824)\n* feat: add support for conan.lock file (#2779)\n* feat: cache merged layers\n* feat: add support for gradle.lockfile (#2759)\n* feat: move file patterns to a global level to be able to use it on any analyzer (#2539)\n* Fix url validaton failures (#2783)\n* fix(image): add logic to detect empty layers (#2790)\n* feat(rust): add dependency graph from Rust binaries (#2771)\n\nUpdate to version 0.31.3:\n\n* fix: handle empty OS family (#2768)\n* fix: fix k8s summary report (#2777)\n* fix: don\u0027t skip packages that don\u0027t contain vulns, when using --list-all-pkgs flag (#2767)\n* chore: bump trivy-kubernetes (#2770)\n* fix(secret): Consider secrets in rpc calls (#2753)\n* fix(java): check depManagement from upper pom\u0027s (#2747)\n* fix(php): skip `composer.lock` inside `vendor` folder (#2718)\n* fix: fix k8s rbac filter (#2765)\n* feat(misconf): skipping misconfigurations by AVD ID (#2743)\n* chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741)\n* docs: add MacPorts install instructions (#2727)\n* docs: typo (#2730)\n\nUpdate to version 0.31.2:\n\n* fix: Correctly handle recoverable AWS scanning errors (#2726)\n* docs: Remove reference to SecurityAudit policy for AWS scanning (#2721)\n\nUpdate to version 0.31.1:\n\n* fix: upgrade defsec to v0.71.7 for elb scan panic (#2720)\n\nUpdate to version 0.31.0:\n\n* fix(flag): add error when there are no supported security checks (#2713)\n* fix(vuln): continue scanning when no vuln found in the first application (#2712)\n* revert: add new classes for vulnerabilities (#2701)\n* feat(secret): detect secrets removed or overwritten in upper layer (#2611)\n* fix(cli): secret scanning perf link fix (#2607)\n* chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650)\n* feat: Add AWS Cloud scanning (#2493)\n* docs: specify the type when verifying an attestation (#2697)\n* docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690)\n* fix(rpc): scanResponse rpc conversion for custom resources (#2692)\n* feat(rust): Add support for cargo-auditable (#2675)\n* feat: Support passing value overrides for configuration checks (#2679)\n* feat(sbom): add support for scanning a sbom attestation (#2652)\n* chore(image): skip symlinks and hardlinks from tar scan (#2634)\n* fix(report): Update junit.tpl (#2677)\n* fix(cyclonedx): add nil check to metadata.component (#2673)\n* docs(secret): fix missing and broken links (#2674)\n* refactor(cyclonedx): implement json.Unmarshaler (#2662)\n* feat(kubernetes): add option to specify kubeconfig file path (#2576)\n* docs: follow Debian\u0027s \u0027instructions to connect to a third-party repository\u0027 (#2511)\n* feat(alma): set AlmaLinux 9 EOL (#2653)\n* fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636)\n* test(misconf): add tests for misconf handler for dockerfiles (#2621)\n* feat(oracle): set Oracle Linux 9 EOL (#2635)\n* BREAKING: add new classes for vulnerabilities (#2541)\n* fix(secret): add newline escaping for asymmetric private key (#2532)\n* docs: improve formatting (#2572)\n* feat(helm): allows users to define an existing secret for tokens (#2587)\n* docs(mariner): use tdnf in fs usage example (#2616)\n* docs: remove unnecessary double quotation marks (#2609)\n* fix: Fix --file-patterns flag (#2625)\n* feat(report): add support for Cosign vulnerability attestation (#2567)\n* docs(mariner): use v2.0 in examples (#2602)\n* feat(report): add secrets template for codequality report (#2461)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2023-64",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0064-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2023:0064-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZC5NXZSDG2FYOHGXMQE4LMFVABIGBY3E/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2023:0064-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZC5NXZSDG2FYOHGXMQE4LMFVABIGBY3E/"
},
{
"category": "self",
"summary": "SUSE Bug 1208091",
"url": "https://bugzilla.suse.com/1208091"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25165 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25165/"
}
],
"title": "Security update for trivy",
"tracking": {
"current_release_date": "2023-03-05T19:03:40Z",
"generator": {
"date": "2023-03-05T19:03:40Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2023:0064-1",
"initial_release_date": "2023-03-05T19:03:40Z",
"revision_history": [
{
"date": "2023-03-05T19:03:40Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.37.3-bp154.2.9.1.aarch64",
"product": {
"name": "trivy-0.37.3-bp154.2.9.1.aarch64",
"product_id": "trivy-0.37.3-bp154.2.9.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.37.3-bp154.2.9.1.i586",
"product": {
"name": "trivy-0.37.3-bp154.2.9.1.i586",
"product_id": "trivy-0.37.3-bp154.2.9.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.37.3-bp154.2.9.1.ppc64le",
"product": {
"name": "trivy-0.37.3-bp154.2.9.1.ppc64le",
"product_id": "trivy-0.37.3-bp154.2.9.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.37.3-bp154.2.9.1.s390x",
"product": {
"name": "trivy-0.37.3-bp154.2.9.1.s390x",
"product_id": "trivy-0.37.3-bp154.2.9.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.37.3-bp154.2.9.1.x86_64",
"product": {
"name": "trivy-0.37.3-bp154.2.9.1.x86_64",
"product_id": "trivy-0.37.3-bp154.2.9.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP4",
"product": {
"name": "SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.37.3-bp154.2.9.1.aarch64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.aarch64"
},
"product_reference": "trivy-0.37.3-bp154.2.9.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.37.3-bp154.2.9.1.i586 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.i586"
},
"product_reference": "trivy-0.37.3-bp154.2.9.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.37.3-bp154.2.9.1.ppc64le as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.ppc64le"
},
"product_reference": "trivy-0.37.3-bp154.2.9.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.37.3-bp154.2.9.1.s390x as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.s390x"
},
"product_reference": "trivy-0.37.3-bp154.2.9.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.37.3-bp154.2.9.1.x86_64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.x86_64"
},
"product_reference": "trivy-0.37.3-bp154.2.9.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.37.3-bp154.2.9.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.aarch64"
},
"product_reference": "trivy-0.37.3-bp154.2.9.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.37.3-bp154.2.9.1.i586 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.i586"
},
"product_reference": "trivy-0.37.3-bp154.2.9.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.37.3-bp154.2.9.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.ppc64le"
},
"product_reference": "trivy-0.37.3-bp154.2.9.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.37.3-bp154.2.9.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.s390x"
},
"product_reference": "trivy-0.37.3-bp154.2.9.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.37.3-bp154.2.9.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.x86_64"
},
"product_reference": "trivy-0.37.3-bp154.2.9.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-25165",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25165"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.aarch64",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.i586",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.ppc64le",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.s390x",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.x86_64",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.aarch64",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.i586",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.ppc64le",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.s390x",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25165",
"url": "https://www.suse.com/security/cve/CVE-2023-25165"
},
{
"category": "external",
"summary": "SUSE Bug 1208083 for CVE-2023-25165",
"url": "https://bugzilla.suse.com/1208083"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.aarch64",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.i586",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.ppc64le",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.s390x",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.x86_64",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.aarch64",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.i586",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.ppc64le",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.s390x",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.aarch64",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.i586",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.ppc64le",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.s390x",
"SUSE Package Hub 15 SP4:trivy-0.37.3-bp154.2.9.1.x86_64",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.aarch64",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.i586",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.ppc64le",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.s390x",
"openSUSE Leap 15.4:trivy-0.37.3-bp154.2.9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-03-05T19:03:40Z",
"details": "moderate"
}
],
"title": "CVE-2023-25165"
}
]
}
OPENSUSE-SU-2024:12667-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
helm-3.11.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: helm-3.11.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the helm-3.11.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12667
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm-3.11.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-3.11.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-3.11.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-3.11.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "helm-3.11.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the helm-3.11.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12667",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12667-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25165 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25165/"
}
],
"title": "helm-3.11.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12667-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.11.1-1.1.aarch64",
"product": {
"name": "helm-3.11.1-1.1.aarch64",
"product_id": "helm-3.11.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.11.1-1.1.aarch64",
"product": {
"name": "helm-bash-completion-3.11.1-1.1.aarch64",
"product_id": "helm-bash-completion-3.11.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.11.1-1.1.aarch64",
"product": {
"name": "helm-fish-completion-3.11.1-1.1.aarch64",
"product_id": "helm-fish-completion-3.11.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.11.1-1.1.aarch64",
"product": {
"name": "helm-zsh-completion-3.11.1-1.1.aarch64",
"product_id": "helm-zsh-completion-3.11.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.11.1-1.1.ppc64le",
"product": {
"name": "helm-3.11.1-1.1.ppc64le",
"product_id": "helm-3.11.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.11.1-1.1.ppc64le",
"product": {
"name": "helm-bash-completion-3.11.1-1.1.ppc64le",
"product_id": "helm-bash-completion-3.11.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.11.1-1.1.ppc64le",
"product": {
"name": "helm-fish-completion-3.11.1-1.1.ppc64le",
"product_id": "helm-fish-completion-3.11.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.11.1-1.1.ppc64le",
"product": {
"name": "helm-zsh-completion-3.11.1-1.1.ppc64le",
"product_id": "helm-zsh-completion-3.11.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.11.1-1.1.s390x",
"product": {
"name": "helm-3.11.1-1.1.s390x",
"product_id": "helm-3.11.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.11.1-1.1.s390x",
"product": {
"name": "helm-bash-completion-3.11.1-1.1.s390x",
"product_id": "helm-bash-completion-3.11.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.11.1-1.1.s390x",
"product": {
"name": "helm-fish-completion-3.11.1-1.1.s390x",
"product_id": "helm-fish-completion-3.11.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.11.1-1.1.s390x",
"product": {
"name": "helm-zsh-completion-3.11.1-1.1.s390x",
"product_id": "helm-zsh-completion-3.11.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.11.1-1.1.x86_64",
"product": {
"name": "helm-3.11.1-1.1.x86_64",
"product_id": "helm-3.11.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.11.1-1.1.x86_64",
"product": {
"name": "helm-bash-completion-3.11.1-1.1.x86_64",
"product_id": "helm-bash-completion-3.11.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.11.1-1.1.x86_64",
"product": {
"name": "helm-fish-completion-3.11.1-1.1.x86_64",
"product_id": "helm-fish-completion-3.11.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.11.1-1.1.x86_64",
"product": {
"name": "helm-zsh-completion-3.11.1-1.1.x86_64",
"product_id": "helm-zsh-completion-3.11.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.11.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.11.1-1.1.aarch64"
},
"product_reference": "helm-3.11.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.11.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.11.1-1.1.ppc64le"
},
"product_reference": "helm-3.11.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.11.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.11.1-1.1.s390x"
},
"product_reference": "helm-3.11.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.11.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.11.1-1.1.x86_64"
},
"product_reference": "helm-3.11.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.11.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.aarch64"
},
"product_reference": "helm-bash-completion-3.11.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.11.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.ppc64le"
},
"product_reference": "helm-bash-completion-3.11.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.11.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.s390x"
},
"product_reference": "helm-bash-completion-3.11.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.11.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.x86_64"
},
"product_reference": "helm-bash-completion-3.11.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.11.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.aarch64"
},
"product_reference": "helm-fish-completion-3.11.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.11.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.ppc64le"
},
"product_reference": "helm-fish-completion-3.11.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.11.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.s390x"
},
"product_reference": "helm-fish-completion-3.11.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.11.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.x86_64"
},
"product_reference": "helm-fish-completion-3.11.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.11.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.aarch64"
},
"product_reference": "helm-zsh-completion-3.11.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.11.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.ppc64le"
},
"product_reference": "helm-zsh-completion-3.11.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.11.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.s390x"
},
"product_reference": "helm-zsh-completion-3.11.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.11.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.x86_64"
},
"product_reference": "helm-zsh-completion-3.11.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-25165",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25165"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-3.11.1-1.1.x86_64",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.x86_64",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.x86_64",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25165",
"url": "https://www.suse.com/security/cve/CVE-2023-25165"
},
{
"category": "external",
"summary": "SUSE Bug 1208083 for CVE-2023-25165",
"url": "https://bugzilla.suse.com/1208083"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-3.11.1-1.1.x86_64",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.x86_64",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.x86_64",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-3.11.1-1.1.x86_64",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-bash-completion-3.11.1-1.1.x86_64",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-fish-completion-3.11.1-1.1.x86_64",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.aarch64",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.ppc64le",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.s390x",
"openSUSE Tumbleweed:helm-zsh-completion-3.11.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-25165"
}
]
}
OPENSUSE-SU-2024:12668-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
helmfile-0.150.0-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: helmfile-0.150.0-2.1 on GA media
Description of the patch: These are all security issues fixed in the helmfile-0.150.0-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12668
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helmfile-0.150.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-0.150.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-0.150.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helmfile-0.150.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "helmfile-0.150.0-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the helmfile-0.150.0-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12668",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12668-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-25165 page",
"url": "https://www.suse.com/security/cve/CVE-2023-25165/"
}
],
"title": "helmfile-0.150.0-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12668-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helmfile-0.150.0-2.1.aarch64",
"product": {
"name": "helmfile-0.150.0-2.1.aarch64",
"product_id": "helmfile-0.150.0-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helmfile-0.150.0-2.1.ppc64le",
"product": {
"name": "helmfile-0.150.0-2.1.ppc64le",
"product_id": "helmfile-0.150.0-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helmfile-0.150.0-2.1.s390x",
"product": {
"name": "helmfile-0.150.0-2.1.s390x",
"product_id": "helmfile-0.150.0-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helmfile-0.150.0-2.1.x86_64",
"product": {
"name": "helmfile-0.150.0-2.1.x86_64",
"product_id": "helmfile-0.150.0-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-0.150.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-0.150.0-2.1.aarch64"
},
"product_reference": "helmfile-0.150.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-0.150.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-0.150.0-2.1.ppc64le"
},
"product_reference": "helmfile-0.150.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-0.150.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-0.150.0-2.1.s390x"
},
"product_reference": "helmfile-0.150.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helmfile-0.150.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helmfile-0.150.0-2.1.x86_64"
},
"product_reference": "helmfile-0.150.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-25165",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-25165"
}
],
"notes": [
{
"category": "general",
"text": "Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.aarch64",
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.ppc64le",
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.s390x",
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-25165",
"url": "https://www.suse.com/security/cve/CVE-2023-25165"
},
{
"category": "external",
"summary": "SUSE Bug 1208083 for CVE-2023-25165",
"url": "https://bugzilla.suse.com/1208083"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.aarch64",
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.ppc64le",
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.s390x",
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.aarch64",
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.ppc64le",
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.s390x",
"openSUSE Tumbleweed:helmfile-0.150.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-25165"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…