CVE-2022-38580

Name of the Vulnerable Software and Affected Versions Zalando Skipper versions prior to v0.13.237

Description The issue allows an attacker to exploit a vulnerable version of the proxy to access the internal metadata server or other unauthenticated URLs by adding a specific header (X-Skipper-Proxy) to the HTTP request. This is a case of Server-Side Request Forgery (SSRF).

Recommendations To resolve the issue, upgrade to Zalando Skipper version v0.13.237 or later. As a temporary workaround, consider using the dropRequestHeader("X-Skipper-Proxy") filter to mitigate the risk of exploitation.