Qiqi Xu

**Name of the Vulnerable Software and Affected Versions** Kubernetes (affected versions not specified) **Description** A security issue was discovered in Kubernetes where actors that control the responses of `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` requests are able to redirect `kube-apiserver` requests to private networks of the apiserver. If that user can view `kube-apiserver` logs when the log level is set to 10, they can view the redirected responses and headers in the logs. The issue is related to errors in processing hyperlinks, which can allow a remote attacker to access confidential data. Additionally, the `kube-apiserver`, `scheduler`, `controller-manager`, and `kubelet` have profiling enabled by default, and access to this information can be obtained by accessing the `/debug/pprof/profile` endpoint, although necessary RBAC rights are required for `kube-apiserver`, `kube-controller-manager`, and `kube-scheduler`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.