漏洞概述 漏洞编号: CVE-2026-42965 漏洞类型: SSRF(服务端请求伪造) 漏洞描述: OpenShift Router 不会验证从 FQDN 类型的 EndpointSlices 解析的后端目标。用户可以使用 EndpointSlice 创建指向一个解析为 169.254.169.254 的无主机的服务,从而创建路由以针对该服务。路由器代理对云元数据的请求,允许攻击者检索实例凭证和其他敏感元数据。这绕过了 CVE-2021-27377 的修复,该修复仅验证 IPv4/IPv6 地址通过 ValidateEndpointIP(),但不验证 FQDN 端点。HMSv2 不会缓解此问题,因为 Haproxy 作为 Layer 7 中的 HostNetwork 进程运行,并可以执行 PUT/GET 令牌交换。此攻击需要 IngressController 使用 HostNetwork 端点发布(默认在裸机上,不在云提供商上)。 影响范围 组件: Security Response 产品: openshift/router 操作系统: Linux 优先级: High 严重程度: High 修复方案 修复版本: 未指定 关闭状态: 未关闭 最后关闭时间: 未指定 紧急程度: 未指定 其他信息 报告时间: 2026-05-29 09:43 UTC by OSDB Bzreport 修改时间: 2026-05-29 09:46 UTC CC 列表: 0 users 关键词: Security 状态: NEW 别名: CVE-2026-42965 组件: vulnerability 版本: unspecified 硬件: All 目标里程碑: --- 分配给: Product Security QA 联系人: --- 文档联系人: --- URL: --- 白板: --- 依赖项: --- 阻塞项: --- 树视图: depends on / blocked 附件 附件链接: Terms of Use 描述 详细描述: The OpenShift Router does not validate backend destinations resolved from FQDN-typed EndpointSlices. A user with EndpointSlice write access can create a Service backed by an FQDN EndpointSlice pointing to a hostname that resolves to 169.254.169.254 (e.g. 169-254-169-254.nip.io), then create a Route targeting that Service. The router proxies requests to the cloud metadata service, allowing the attacker to retrieve instance credentials and other sensitive metadata. This bypasses the fix for CVE-2021-27377, which only validates IPv4/IPv6 addresses via ValidateEndpointIP() but not FQDN endpoints. HMSv2 does not mitigate this because Haproxy runs as a hostNetwork process at Layer 7 and can perform the PUT/GET token exchange. This attack requires the IngressController to use HostNetwork endpoint publishing (default on bare metal/UPi, not on cloud providers). 备注 备注: You need to log in before you can comment on or make changes to this bug. 页脚 隐私: Privacy 联系: Contact FAQ: FAQ 法律: Legal