CVE-2020-11013

Name of the Vulnerable Software and Affected Versions Helm versions 3.0.0 through 3.1.2

Description There is an information disclosure issue in Helm. The lookup template function, introduced in Helm v3, can lookup resources in the cluster to check for the existence of specific resources and get details about them. This function circumvents the documented behavior of helm template, which states that it does not attach to a remote cluster. A malicious chart author could inject a lookup into a chart that, when rendered through helm template, performs unannounced lookups against the cluster a user's KUBECONFIG file points to. This information can then be disclosed via the output of helm template.

Recommendations For Helm versions 3.0.0 through 3.1.2, update to Helm 3.2.0 to fix the issue. As a temporary workaround, consider running helm lint on an untrusted chart before running helm template, as it will fail with an error if the lookup function is used. Alternatively, set the KUBECONFIG environment variable to point to an empty Kubernetes configuration file to prevent unintended network connections. Manually analyze a chart for the presence of a lookup function in any file in the templates/ directory to identify potential risks.