CVE-2024-40632

Published: Jul 15, 2024Modified: Nov 21, 2024

3.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 2.2 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Linkerd is an open source, ultralight, security-first service mesh for Kubernetes. In affected versions when the application being run by linkerd is susceptible to SSRF, an attacker could potentially trigger a denial-of-service (DoS) attack by making requests to localhost:4191/shutdown. Linkerd could introduce an optional environment variable to control a token that must be passed as a header. Linkerd should reject shutdown requests that do not include this header. This issue has been addressed in release version edge-24.6.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (6)

https://github.com/linkerd/linkerd2-proxy/blob/46957de49f25fd4661af7b7c52659148f4d6dd27/linkerd/app/admin/src/server.rs

Source: security-advisories@github.com

https://github.com/linkerd/linkerd2/commit/35fb2d6d11ef6520ae516dd717790529f85224fa

Source: security-advisories@github.com

https://github.com/linkerd/linkerd2/security/advisories/GHSA-6v94-gj6x-jqj7

Source: security-advisories@github.com

https://github.com/linkerd/linkerd2-proxy/blob/46957de49f25fd4661af7b7c52659148f4d6dd27/linkerd/app/admin/src/server.rs

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/linkerd/linkerd2/commit/35fb2d6d11ef6520ae516dd717790529f85224fa

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/linkerd/linkerd2/security/advisories/GHSA-6v94-gj6x-jqj7

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.