External risk intelligence

Zalando Skipper SSRF Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-38580

Zalando Skipper is an HTTP router and reverse proxy designed to handle traffic at the edge of a network. As an ingress controller or gateway, it is commonly deployed in internet-facing positions to route traffic to backend services, making its components frequently reachable from the public internet.

Server-Side Request Forgery

Zalando Skipper

before 0.13.237

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Zalando Skipper, an HTTP router and reverse proxy. The issue, a Server-Side Request Forgery, allows unauthorized requests to be made from the affected system, potentially exposing internal resources or leading to other security risks. Given its role as an edge component, exposure is considered likely, making it important to confirm relevance and assess potential impact.

  • Critical flaw in proxy software.
  • Proxy software is likely exposed externally.
  • Confirm relevance and exposure of proxy software.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests to an exposed instance of the affected software. This could allow them to trick the software into making unintended requests on their behalf to internal or external resources, potentially leading to the disclosure of sensitive information or the manipulation of other systems.

  • Accessible over the network without authentication.
  • Triggered by sending specific requests to the software.
  • Enables unauthorized access to internal resources.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to make the Zalando Skipper proxy issue requests to arbitrary internal or external resources. When the proxy is processing specific requests, an attacker could trick it into connecting to a URL of their choosing. This could lead to the proxy accessing sensitive internal network resources or external services.

  • Internal network access.
  • Attacker-controlled requests.
  • Information disclosure or denial of service.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical SSRF vulnerability in Zalando Skipper, an HTTP router and reverse proxy, likely impacts teams responsible for ingress traffic management and backend service routing. The first practical step is to locate all instances of the affected technology, verify their exposure to external networks, confirm their business criticality, and identify the accountable system owner before planning remediation.

  • Ownership: Platform and network security teams.
  • Verify first: External reachability and business criticality.
  • Action: Coordinate vendor engagement and plan remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Zalando Skipper?

Zalando Skipper is an HTTP router and reverse proxy component. It acts as an ingress controller or gateway, typically sitting at the edge of a network to manage and route incoming traffic to various backend services.

What does CVE-2022-38580 mean?

This CVE identifies a Server-Side Request Forgery (SSRF) vulnerability, classified as CWE-918. It means the software can be manipulated into sending unauthorized requests to locations the attacker chooses, effectively using the proxy as a proxy for their own traffic.

How is this SSRF triggered?

The vulnerability is triggered by sending specially crafted, unauthorized requests to the proxy. It does not require pre-existing authentication to initiate. Simply browsing the site normally or sending standard, non-malicious traffic does not trigger this behavior.

Why is this a concern for my infrastructure?

Halo Surface Signal notes that because Zalando Skipper is often deployed at the network edge to handle incoming traffic, it is frequently reachable from the public internet. This makes it easier for an attacker to reach the vulnerable component directly.

Is there a first step to take?

Start by identifying all deployed instances of Zalando Skipper within your environment. Determine which of these are reachable from external networks, assess their business criticality, and coordinate with the system owners to prepare for updates.

References