GHSA-r6j8-c6r2-37rr

A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2025-12-14T22:15:36Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed_at": "2025-12-16T00:48:30Z"
}

References

Affected packages

Go / k8s.io/kubernetes

Package

Name: k8s.io/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.32.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-r6j8-c6r2-37rr/GHSA-r6j8-c6r2-37rr.json"

Go / k8s.io/kubernetes

Package

Name: k8s.io/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.33.0-alpha.0

Fixed

1.33.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-r6j8-c6r2-37rr/GHSA-r6j8-c6r2-37rr.json"

Go / k8s.io/kubernetes

Package

Name: k8s.io/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.34.0-alpha.0

Fixed

1.34.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-r6j8-c6r2-37rr/GHSA-r6j8-c6r2-37rr.json"