Skipper

skipper

Vendor: Zalando • 4 CVEs

CVEs (4)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-24470 1Zalando 1Skipper Feb 18, 2026 Jan 26, 2026 N/A· v4 8.1 HIGH· v3 N/A· v2 Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName...Show more Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions.Show less
CVE-2026-23742 1Zalando 1Skipper Feb 18, 2026 Jan 16, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of...Show more Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.Show less
CVE-2022-38580 1Zalando 1Skipper May 7, 2025 Oct 25, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF).
CVE-2022-34296 1Zalando 1Skipper Nov 21, 2024 Jun 23, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In Zalando Skipper before 0.13.218, a query predicate could be bypassed via a prepared request.