CVE-2024-40632

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-40632
Linkerd is an open source, ultralight, security-first service mesh for Kubernetes. In affected versions when the application being run by linkerd is susceptible to SSRF, an attacker could potentially trigger a denial-of-service (DoS) attack by making requests to localhost:4191/shutdown. Linkerd could introduce an optional environment variable to control a token that must be passed as a header. Linkerd should reject shutdown requests that do not include this header. This issue has been addressed in release version edge-24.6.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

3.7 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/linkerd/linkerd2-proxy/blob/46957de49f25fd4661af7b7c52659148f4d6dd27/linkerd/app/admin/src/server.rs
https://github.com/linkerd/linkerd2/commit/35fb2d6d11ef6520ae516dd717790529f85224fa
https://github.com/linkerd/linkerd2/security/advisories/GHSA-6v94-gj6x-jqj7
https://github.com/linkerd/linkerd2-proxy/blob/46957de49f25fd4661af7b7c52659148f4d6dd27/linkerd/app/admin/src/server.rs
https://github.com/linkerd/linkerd2/commit/35fb2d6d11ef6520ae516dd717790529f85224fa
https://github.com/linkerd/linkerd2/security/advisories/GHSA-6v94-gj6x-jqj7
Configurations

No configuration.

History

21 Nov 2024, 09:31

Type Values Removed Values Added
References () https://github.com/linkerd/linkerd2-proxy/blob/46957de49f25fd4661af7b7c52659148f4d6dd27/linkerd/app/admin/src/server.rs - () https://github.com/linkerd/linkerd2-proxy/blob/46957de49f25fd4661af7b7c52659148f4d6dd27/linkerd/app/admin/src/server.rs -
References () https://github.com/linkerd/linkerd2/commit/35fb2d6d11ef6520ae516dd717790529f85224fa - () https://github.com/linkerd/linkerd2/commit/35fb2d6d11ef6520ae516dd717790529f85224fa -
References () https://github.com/linkerd/linkerd2/security/advisories/GHSA-6v94-gj6x-jqj7 - () https://github.com/linkerd/linkerd2/security/advisories/GHSA-6v94-gj6x-jqj7 -

16 Jul 2024, 13:43

Type Values Removed Values Added
Summary
  • (es) Linkerd es una malla de servicios de código abierto, ultraligera y que prioriza la seguridad para Kubernetes. En las versiones afectadas, cuando la aplicación que ejecuta Linkerd es susceptible a SSRF, un atacante podría desencadenar un ataque de denegación de servicio (DoS) al realizar solicitudes a localhost:4191/shutdown. Linkerd podría introducir una variable de entorno opcional para controlar un token que debe pasarse como encabezado. Linkerd debería rechazar las solicitudes de cierre que no incluyan este encabezado. Este problema se solucionó en la versión edge-24.6.2 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

15 Jul 2024, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-15 22:15

Updated : 2024-11-21 09:31

NVD link : CVE-2024-40632

Mitre link : CVE-2024-40632

CVE.ORG link : CVE-2024-40632

JSON object : View

Products Affected

No product.

CWE
CWE-918

Server-Side Request Forgery (SSRF)


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024