You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.
Impact
Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.
Patches
The problem was patched in version https://github.com/zalando/skipper/releases/tag/v0.13.237.
Users need to upgrade to skipper
>=v0.13.237.Workarounds
Use
dropRequestHeader("X-Skipper-Proxy")filterReferences
https://github.com/zalando/skipper/releases/tag/v0.13.237
For more information
If you have any questions or comments about this advisory: