Описание
Server-Side Request Forgery (SSRF) in kubeflow/kubeflow
A Server-Side Request Forgery (SSRF) flaw was found in kubeflow. Any user can use kubeflow as a proxy to access internal or external resources and have the response returned to the user by supplying a url to the namespace parameter in /pipeline/artifacts/get. This issue could allow an attacker to hijack a user account by stealing the authentication cookie sent with the request or access internal resources available from the kubeflow server.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-kf-notebook-controller-rhel8 | Will not fix | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-ml-pipelines-api-server-rhel8 | Will not fix | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-ml-pipelines-artifact-manager-rhel8 | Will not fix | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-ml-pipelines-cache-rhel8 | Will not fix | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-ml-pipelines-persistenceagent-rhel8 | Will not fix | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-ml-pipelines-scheduledworkflow-rhel8 | Will not fix | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-ml-pipelines-viewercontroller-rhel8 | Will not fix | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-notebook-controller-rhel8 | Will not fix | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-operator-base-rhel8 | Will not fix |
Показывать по
10
Дополнительная информация
6.5 Medium
CVSS3
Связанные уязвимости
CVSS3: 7.7
github
около 2 лет назад
Server-Side Request Forgery (SSRF) in kubeflow/kubeflow
6.5 Medium
CVSS3