GHSA-mxxc-p822-2hx9

Source

https://github.com/advisories/GHSA-mxxc-p822-2hx9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mxxc-p822-2hx9/GHSA-mxxc-p822-2hx9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mxxc-p822-2hx9

Aliases

Published

2026-01-26T23:26:56Z

Modified

2026-02-03T03:05:02.269547Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName

Details

Impact

When running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services.

Patches

https://github.com/zalando/skipper/releases/tag/v0.24.0 disables Kubernetes ExternalName by default.

Workarounds

Developers can allow list targets of an ExternalName by using -kubernetes-only-allowed-external-names=true and allow list via regular expressions -kubernetes-allowed-external-name '^[a-z][a-z0-9-.]+[.].allowed.example$'

References

https://kubernetes.io/docs/concepts/services-networking/service/#externalname

Database specific

{
    "nvd_published_at": "2026-01-26T23:16:09Z",
    "github_reviewed_at": "2026-01-26T23:26:56Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-441",
        "CWE-918"
    ],
    "github_reviewed": true
}

References

Affected packages

Go / github.com/zalando/skipper

Package

Name: github.com/zalando/skipper; View open source insights on deps.dev
Purl: pkg:golang/github.com/zalando/skipper

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.24.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-mxxc-p822-2hx9/GHSA-mxxc-p822-2hx9.json"