VU#655822: Kyverno is vulnerab... Note

VU#655822: Kyverno is vulnerable to server-side request forgery (SSRF)

Kyverno, a Kubernetes policy engine, has an SSRF vulnerability in versions 1.16.0 and later. This vulnerability stems from inadequate URL validation within its CEL-based HTTP functions (Get and Post). Namespaced policies can trigger arbitrary internal HTTP requests due to the lack of namespace scoping in these functions. An attacker with namespace-level permissions can exploit this flaw. They can create a malicious policy to send internal requests and exfiltrate responses. The Kyverno admission controller, which executes these requests, has privileged network access. This vulnerability could lead to cross-namespace data access and the exposure of sensitive information. A patch is unavailable, so mitigation strategies are necessary. These include strict URL validation, destination controls, and blocklists. Recommended safeguards involve blocking access to sensitive address ranges and limiting outbound requests. Applying default deny network policies to the Kyverno pod is also suggested. This vulnerability was responsibly disclosed by Igor Stepansky from Orca Security Research Pod.