High

kubeflow

SSRF Vulnerability

Kubeflow version 1.7.0 is vulnerable to Server-Side Request Forgery (SSRF), allowing attackers to proxy requests through Kubeflow to access internal and external resources. The vulnerability was identified in the handling of the 'namespace' URL parameter. The specific patch version fixing this issue is not mentioned.

Available publicly on Dec 14 2023

7.7

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Credit:

danmcinerney
Threat Overview

The SSRF vulnerability in Kubeflow allows attackers to craft requests that the Kubeflow server will execute on their behalf. By manipulating the 'namespace' URL parameter, an attacker can cause the server to make arbitrary HTTP requests to internal or external resources. This can lead to sensitive information disclosure, internal network mapping, or even remote code execution if the response is processed insecurely by the server. Additionally, since Kubeflow forwards the user's authentication cookie in the request, it could lead to account hijacking if an attacker can coerce a victim into making a request to a malicious server.

Attack Scenario

An attacker crafts a malicious URL containing a specially crafted 'namespace' parameter that causes Kubeflow to make an HTTP request to an attacker-controlled server. The attacker's server responds with a payload designed to exploit the SSRF vulnerability. If an authenticated user visits this malicious URL, the Kubeflow server will forward the user's authentication cookie along with the request, potentially allowing the attacker to hijack the user's session.

Who is affected

Any authenticated user of Kubeflow version 1.7.0 could be affected by this vulnerability. Attackers can exploit this vulnerability to hijack user accounts, access internal resources, or conduct further attacks against the internal network.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.