← Volver a CVEs
CVE-2026-23742
HIGH8.8
Descripcion
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
Detalles CVE
Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado1/16/2026
Ultima modificacion2/18/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
zalando:skipper
Debilidades (CWE)
CWE-94CWE-250CWE-522
Referencias
https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714(security-advisories@github.com)
https://github.com/zalando/skipper/releases/tag/v0.23.0(security-advisories@github.com)
https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.