KubePlus Server-Side Request Forgery Vulnerability with Arbitrary HTTP Header Injection

A server-side request forgery (SSRF) vulnerability has been identified in KubePlus version 4.2.0, specifically within the mutating webhook and kubeconfiggenerator components. The issue arises when the chartURL field of ResourceComposition resources is processed. The chartURL is only URL-encoded without proper validation of the target address, allowing attackers to craft malicious URLs. More critically, the kubeconfiggenerator component uses wget to download charts, directly concatenating the chartURL into the command. This vulnerability enables injection of wget's --header option, facilitating arbitrary HTTP header injection.

Impact

Exploitation of this vulnerability allows access to internal services and the Kubernetes API. Additionally, it enables access to cloud metadata services, such as GCP's, by injecting the required Metadata-Flavor header, potentially leading to theft of IAM credentials. In some cases, authentication can be bypassed by injecting Authorization headers.

Reproduction

To reproduce this vulnerability, create a ResourceComposition resource with a crafted chartURL that exploits the SSRF vulnerability. Once the resource is processed, the kubeconfiggenerator will execute a wget command that includes the injected headers, allowing access to internal services or cloud metadata.

Remediation

Restrict outbound network access for KubePlus pods using a network policy that excludes cloud metadata IPs. Additionally, implement chartURL whitelist validation in the KubePlus code.