Server Side Request Forgery (SSRF) in Kubernetes
Moderate severity
GitHub Reviewed
Published
Feb 15, 2022
to the GitHub Advisory Database
•
Updated Sep 18, 2023
Package
Affected versions
>= 1.18.0, < 1.18.1
>= 1.17.0, < 1.17.4
>= 1.16.0, < 1.16.9
< 1.15.12
Patched versions
1.18.1
1.17.4
1.16.9
1.15.12
Description
Published by the National Vulnerability Database
Jun 5, 2020
Reviewed
May 13, 2021
Published to the GitHub Advisory Database
Feb 15, 2022
Last updated
Sep 18, 2023
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
References