Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Skipper arbitrary code execution through lua filters
Vulnerability Description
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Skipper 安全漏洞
Vulnerability Description
Skipper是一个用于服务组合的 HTTP 路由器和反向代理。 Skipper 0.23.0之前版本存在安全漏洞,该漏洞源于默认配置允许不受信任用户创建Lua过滤器,可能导致文件系统读取。
CVSS Information
N/A
Vulnerability Type
N/A