kube-controller-manager
Easy fix4 remedies
cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*
Easy fix4 remedies
- <= v1.30.14
- <= v1.31.14
- <= v1.32.9
- <= v1.33.5
- <= v1.34.1
Kubernetes Portworx StorageClass Half-Blind Server Side Request Forgery Vulnerability in kube-controller-manager
Vulnerability
Patched
A half-blind Server Side Request Forgery (SSRF) vulnerability has been identified in the Kubernetes kube-controller-manager, specifically when the in-tree Portworx StorageClass is used. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints within the control plane's host network, including link-local or loopback services. The issue arises because kube-controller-manager can be manipulated to send GET requests from the host network, exposing the response data through event objects created by the manager.
Impact
Exploitation of this vulnerability could lead to unauthorized information disclosure from the control plane's host network, potentially exposing sensitive data from link-local or loopback services.
Remediation
Users can upgrade to kube-controller-manager versions 1.32.10, 1.33.6, or 1.34.2, or enable the CSIMigrationPortworx feature gate if it was manually disabled.
Added: Dec 14, 2025, 10:17 PM
Updated: Dec 14, 2025, 10:17 PM
Vulnerability Rating
Custom Algorithm
spread
7.3impact
2.5exploitability
5.2remediation
8.3relevance
1.4threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.