Description
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9
Patch x_refsource_misc
https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219
Various Sources x_refsource_misc
https://kubernetes.io/docs/concepts/services-networking/service/#externalname
Scores
CVSS v3
8.1
EPSS
0.0027
EPSS Percentile
18.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-918
CWE-441
Status
published
Products (2)
zalando/skipper
< 0.24.0
zalando/skipper
0 - 0.24.0Go
Published
Jan 26, 2026
Tracked Since
Feb 18, 2026