216.73.217.98

CVE-2026-23742

· Published 16/01/2026 20:15 · Modified 16/01/2026 20:15

Labels: CVE-2026-23742 2026-01-16CVE-2026-23742CWE-94[email protected]

Essential information

Published
16/01/2026 20:15
Modified
16/01/2026 20:15
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
skipper / skipper cpe:2.3:a:skipper:skipper:<0.23.0:*:*:*:*:*:*:*

References