Описание
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
A half-blind Server-Side Request Forgery (SSRF) found in kube-controller-manager that can be triggered when using the legacy in-tree Portworx StorageClass. An authorized user with sufficient privileges can cause the controller to make requests to internal, host-network–accessible endpoints, potentially leaking sensitive information from unprotected services.
Отчет
This issue is classified as a Moderate vulnerability rather than an Important flaw because its exploitability and impact are significantly constrained by design and configuration prerequisites. Exploitation requires pre-existing high privileges, as the attacker must already be authorized to create pods using the legacy in-tree Portworx StorageClass, which is typically restricted in production clusters. The SSRF is half-blind, limiting the attacker’s ability to reliably control requests or exfiltrate data, and it only becomes meaningful when unprotected endpoints are exposed on the control plane host network, a condition that does not exist in properly hardened environments. There is no direct integrity or availability impact, no privilege escalation, and no code execution path. Additionally, the affected component is disabled by default in supported Kubernetes versions, further reducing real-world exposure. These technical constraints and dependency on non-default or misconfigured setups justify a moderate severity assessment rather than classification as an important flaw.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-shared-resource-rhel9 | Fix deferred | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-shared-resource-webhook-rhel9 | Fix deferred | ||
| External Secrets Operator for Red Hat OpenShift | external-secrets-operator/bitwarden-sdk-server-rhel9 | Fix deferred | ||
| External Secrets Operator for Red Hat OpenShift | external-secrets-operator/external-secrets-operator-bundle | Fix deferred | ||
| External Secrets Operator for Red Hat OpenShift | external-secrets-operator/external-secrets-operator-rhel9 | Fix deferred | ||
| External Secrets Operator for Red Hat OpenShift | external-secrets-operator/external-secrets-rhel9 | Fix deferred | ||
| external secrets operator for Red Hat OpenShift - Tech Preview | external-secrets-operator/bitwarden-sdk-server-rhel9 | Fix deferred | ||
| external secrets operator for Red Hat OpenShift - Tech Preview | external-secrets-operator/external-secrets-operator-bundle | Fix deferred | ||
| external secrets operator for Red Hat OpenShift - Tech Preview | external-secrets-operator/external-secrets-operator-rhel9 | Fix deferred | ||
| external secrets operator for Red Hat OpenShift - Tech Preview | external-secrets-operator/external-secrets-rhel9 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.8 Medium
CVSS3
Связанные уязвимости
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
A half-blind Server Side Request Forgery (SSRF) vulnerability exists i ...
EPSS
5.8 Medium
CVSS3