An attacker can access the internal metadata server or other unauthenticated URLs by adding a specific header (X-Skipper-Proxy) to the http request.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-1086" }
{ "imports": [ { "path": "github.com/zalando/skipper/proxy", "symbols": [ "Proxy.ServeHTTP", "context.Loopback", "forwardToProxy", "mapRequest", "proxyFromHeader" ] } ] }