Sigstore Fulcio Unanchored Regex Vulnerability Allows Server-Side Request Forgery
Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in Sigstore Fulcio versions prior to 1.8.5. The issue arises in the 'metaRegex' function, which uses unanchored regular expressions. This flaw allows attackers to bypass MetaIssuer URL validation and send GET requests to arbitrary internal services. While the SSRF cannot mutate state or exfiltrate data, it could be exploited to probe internal networks.
Impact
Exploitation of this vulnerability allows for blind SSRF, where an attacker can send requests to internal services that are not accessible from the outside network. This could include cloud metadata services or internal Kubernetes APIs.
Reproduction
To reproduce this vulnerability, send a JWT with an 'iss' claim that includes a URL pointing to a MetaIssuer pattern. The unanchored regex in Fulcio's 'metaRegex' function will match the URL as a substring, bypassing validation. Fulcio will then make a request to the specified URL, allowing the attacker to access internal services.
Remediation
Upgrade to Fulcio version 1.8.5 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.