cbcvebase.
CVE-2022-38580
published 2022-10-25

CVE-2022-38580: Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF).

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.00%
95.3th percentile
Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF).

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comzalando_skipper>= 0 < 0.13.2370.13.237
zalandoskipper< 0.13.2370.13.237

Detection & IOCsextracted from sources · hover to see the quote

ip169.254.169.254
urlhttp://169.254.169.254/latest/meta-data/iam/security-credentials
otherX-Skipper-Proxy
  • Detect inbound HTTP requests containing the 'X-Skipper-Proxy' header, especially when its value points to internal/link-local addresses (e.g., 169.254.169.254) or other non-public IP ranges.
  • Monitor for requests to AWS IMDSv1 path '/latest/meta-data/iam/security-credentials' originating from the Skipper proxy process, which would indicate successful SSRF exploitation.
  • Flag any HTTP request where the X-Skipper-Proxy header value resolves to a link-local (169.254.0.0/16) or RFC-1918 private address, as this is the core SSRF vector.
  • ·Only Zalando Skipper versions prior to v0.13.237 are vulnerable; upgrading to v0.13.237 or later mitigates the issue.
  • ·The SSRF is exploitable without authentication — no credentials or session tokens are required by the attacker, only the ability to send an HTTP request with a crafted header.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.