Skip to content

Commit a9c9466

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-fgw5-hp8f-xfhc GHSA-j6cv-3w8p-vrg8
1 parent 4fd7aed commit a9c9466

File tree

2 files changed

+88
-4
lines changed

2 files changed

+88
-4
lines changed

advisories/github-reviewed/2026/04/GHSA-fgw5-hp8f-xfhc/GHSA-fgw5-hp8f-xfhc.json

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-fgw5-hp8f-xfhc",
4+
"modified": "2026-04-16T21:38:09Z",
5+
"published": "2026-04-16T21:38:09Z",
6+
"aliases": [],
7+
"summary": "Istio: SSRF via RequestAuthentication jwksUri",
8+
"details": "### Impact\n\nWhen a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS configuration.\n\nNote: a partial mitigation for this was released in 1.29.1, 128.5, and 1.27.8; however, it was incomplete and missed a few codepaths. 1.29.2 and 1.28.6 contain the more robust fix.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n\nUsers can deploy a `ValidatingAdmissionPolicy` to prevent the creation of `RequestAuthentication` resources with suspicious jwksUri field values (e.g. localhost, 127.0.0.0/8, 169.254.0.0/16, the ipv6 variants, etc.).\n\n### References\nNone",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "Go",
19+
"name": "istio.io/istio"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "0.0.0-20260410004459-189832a289c1"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/istio/istio/security/advisories/GHSA-fgw5-hp8f-xfhc"
40+
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/istio/istio"
44+
}
45+
],
46+
"database_specific": {
47+
"cwe_ids": [
48+
"CWE-918"
49+
],
50+
"severity": "MODERATE",
51+
"github_reviewed": true,
52+
"github_reviewed_at": "2026-04-16T21:38:09Z",
53+
"nvd_published_at": null
54+
}
55+
}

advisories/unreviewed/2026/04/GHSA-j6cv-3w8p-vrg8/GHSA-j6cv-3w8p-vrg8.json renamed to advisories/github-reviewed/2026/04/GHSA-j6cv-3w8p-vrg8/GHSA-j6cv-3w8p-vrg8.json

Lines changed: 33 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,40 +1,69 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-j6cv-3w8p-vrg8",
4-
"modified": "2026-04-15T21:30:18Z",
4+
"modified": "2026-04-16T21:40:08Z",
55
"published": "2026-04-15T21:30:18Z",
66
"aliases": [
77
"CVE-2026-6383"
88
],
9+
"summary": "KubeVirt's authorization mechanism improperly truncates subresource names",
910
"details": "A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "kubevirt.io/kubevirt"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "1.8.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
2041
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6383"
2142
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/kubevirt/kubevirt/issues/17337"
46+
},
2247
{
2348
"type": "WEB",
2449
"url": "https://access.redhat.com/security/cve/CVE-2026-6383"
2550
},
2651
{
2752
"type": "WEB",
2853
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458741"
54+
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/kubevirt/kubevirt"
2958
}
3059
],
3160
"database_specific": {
3261
"cwe_ids": [
3362
"CWE-863"
3463
],
3564
"severity": "MODERATE",
36-
"github_reviewed": false,
37-
"github_reviewed_at": null,
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2026-04-16T21:40:08Z",
3867
"nvd_published_at": "2026-04-15T19:16:38Z"
3968
}
4069
}

0 commit comments

Comments
 (0)