CVE-2020-11013 Information

Description

Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. lookup is a Helm template function introduced in Helm v3. It is able to lookup resources in the cluster to check for the existence of specific resources and get details about them. This can be used as part of the process to render templates. The documented behavior of helm template states that it does not attach to a remote cluster. However a the recently added lookup template function circumvents this restriction and connects to the cluster even during helm template and helm install|update|delete|rollback --dry-run. The user is not notified of this behavior. Running helm template should not make calls to a cluster. This is different from install which is presumed to have access to a cluster in order to load resources into Kubernetes. Helm 2 is unaffected by this vulnerability. A malicious chart author could inject a lookup into a chart that when rendered through helm template performs unannounced lookups against the cluster a user&39;s KUBECONFIG file points to. This information can then be disclosed via the output of helm template. This issue has been fixed in Helm 3.2.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Reference

https://github.com/helm/helm/releases/tag/v3.2.0 https://github.com/helm/helm/security/advisories/GHSA-q8q8-93cv-v6h8

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.0