Internal KUBERNETES_SERVICE_HOST IP address disclosure in /config endpoint #184
Assignees
Labels
enhancement
New feature or request
Comments
epmd-edp
pushed a commit
that referenced
this issue
Apr 8, 2024
Change-Id: Iaa3cdd74cc8fa4302f6b5e6b0e40ede3e4e1efcb
|
Done. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affected endpoint:
GET /config
Details:
While the delivery platform is running, the application periodically sends configuration requests (GET /config) and health checks (GET /clusters/main/healthz). While sending a GET /config request application reveals the KUBERNETES_SERVICE_HOST's internal IP address in the responses, intended for internal use within the cluster and backend systems. This exposure could allow attackers, in the event of a compromised pod, to target the system (for example, with DOS/DDOS attacks) or to learn the internal IP addressing schema.
The text was updated successfully, but these errors were encountered: