First published: Mon Jul 15 2024(Updated: )
Linkerd is an open source, ultralight, security-first service mesh for Kubernetes. In affected versions when the application being run by linkerd is susceptible to SSRF, an attacker could potentially trigger a denial-of-service (DoS) attack by making requests to localhost:4191/shutdown. Linkerd could introduce an optional environment variable to control a token that must be passed as a header. Linkerd should reject shutdown requests that do not include this header. This issue has been addressed in release version edge-24.6.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Linkerd | <edge-24.6.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-40632 has a severity rating that indicates it poses a risk of denial-of-service attacks due to SSRF vulnerabilities in specific versions of Linkerd.
To mitigate CVE-2024-40632, upgrade to Linkerd version edge-24.6.2 or later which addresses the SSRF vulnerability.
CVE-2024-40632 affects Linkerd versions prior to edge-24.6.2, making them potentially vulnerable to SSRF attacks.
Yes, CVE-2024-40632 can allow attackers to perform denial-of-service attacks by exploiting the SSRF vulnerability.
Linkerd is an open source service mesh for Kubernetes that is affected by CVE-2024-40632 due to its handling of SSRF.