Lucene search
+L

93 matches found

Cvelist
Cvelist
added 3 hours ago8 views

CVE-2026-50197 Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding: chunked / HTTP/2 requests

Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the...

7.8CVSS
Exploits0References4
CVE
CVE
added 3 hours ago10 views

CVE-2026-50197

Summary: CVE-2026-50197 affects zalando/skipper’s OpenPolicyAgent integration. When clients use HTTP/1.1 Transfer-Encoding: chunked or HTTP/2 without Content-Length, the opaAuthorizeRequestWithBody flow exposes an empty raw_body and parsed input.parsed_body to OPA, causing policy checks that rely...

7.8CVSS5.3AI score
Exploits0References4
OSV
OSV
added 5 hours ago2 views

GHSA-CWXQ-RC9X-2JVV Skipper: Unbounded Request Body Read in Admission Webhook Causes Memory Exhaustion DoS

Summary The Kubernetes admission webhook handler reads the entire request body using io.ReadAllr.Body without any size limit. Any client that can reach the webhook port within the cluster can send a multi-GB payload, causing the skipper process to exhaust memory and be OOM-killed. This disrupts a...

4.3CVSS5.5AI score
Exploits0References3
Circl
Circl
added 2026/07/08 10:35 p.m.15 views

CVE-2026-50197

creationtimestamp| type| source ---|---|--- 2026-07-08 22:35:12+00:00| published-proof-of-concept| https://github.com/zalando/skipper/security/advisories/GHSA-659f-rgp5-w4wf...

5.9AI score
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/07/08 8:23 p.m.7 views

Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests

Summary zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the...

7.8CVSS6.1AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/07/08 8:23 p.m.2 views

GHSA-659F-RGP5-W4WF Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests

Summary zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the...

10CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.7 views

PT-2026-56679

Name of the Vulnerable Software and Affected Versions zalando/skipper versions prior to 0.26.10 Description The OpenPolicyAgent integration in zalando/skipper contains a flaw that allows request-body inspection to be bypassed. This occurs during HTTP/1.1 requests using Transfer-Encoding: chunked...

7.8CVSS5.3AI score
Exploits0References7
SUSE CVE
SUSE CVE
added 2026/02/07 12:24 a.m.8 views

SUSE CVE-2026-23742

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The...

8.8CVSS5.4AI score0.00473EPSS
Exploits1References3
SUSE CVE
SUSE CVE
added 2026/02/07 12:24 a.m.4 views

SUSE CVE-2026-24470

Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...

8.1CVSS5.3AI score0.00267EPSS
Exploits0References3
OSV
OSV
added 2026/02/03 8:37 p.m.5 views

GO-2026-4327 Skipper is vulnerable to arbitrary code execution through lua filters in github.com/zalando/skipper

Skipper is vulnerable to arbitrary code execution through lua filters in github.com/zalando/skipper...

8.8CVSS6.2AI score0.00473EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.6 views

PT-2026-6504

Skipper is vulnerable to arbitrary code execution through lua filters in github.com/zalando/skipper...

8.8CVSS6.3AI score0.00473EPSS
Exploits1References5
OSV
OSV
added 2026/02/02 9:5 p.m.6 views

GO-2026-4378 Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName in github.com/zalando/skipper

Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName in github.com/zalando/skipper...

8.1CVSS5.4AI score0.00267EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/01/28 3:16 a.m.7 views

CVE-2026-24470

Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...

8.1CVSS5.9AI score0.00267EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/01/26 11:26 p.m.10 views

Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName

Impact When running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Patches https://github.com/zalando/skipper/releases/tag/v0.24.0...

8.1CVSS5.9AI score0.00267EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/01/26 11:26 p.m.3 views

GHSA-MXXC-P822-2HX9 Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName

Impact When running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Patches https://github.com/zalando/skipper/releases/tag/v0.24.0...

8.1CVSS5.9AI score0.00267EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/01/26 10:23 p.m.4 views

CVE-2026-24470

Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...

8.1CVSS5.9AI score0.00267EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/26 10:23 p.m.4 views

CVE-2026-24470 Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName

Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...

8.1CVSS5.9AI score0.00267EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/26 10:23 p.m.23 views

CVE-2026-24470 Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName

Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...

8.1CVSS0.00267EPSS
Exploits0References3
CVE
CVE
added 2026/01/26 10:23 p.m.22 views

CVE-2026-24470

CVE-2026-24470 affects the Skipper HTTP router/reverse proxy. Before v0.24.0, when Skipper runs as an Ingress controller, users with Ingress and ExternalName Service permissions could create routes enabling Skipper’s network access to reach internal services. The issue is mitigated by disabling K...

8.1CVSS5.9AI score0.00267EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/01/26 10:23 p.m.6 views

CVE-2026-24470 Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName

Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...

8.1CVSS5.9AI score0.00267EPSS
Exploits0References5
Rows per page
Query Builder