{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T20:56:13.895","vulnerabilities":[{"cve":{"id":"CVE-2026-23742","sourceIdentifier":"security-advisories@github.com","published":"2026-01-16T20:15:51.613","lastModified":"2026-02-18T16:28:20.980","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0."},{"lang":"es","value":"Skipper es un router HTTP y proxy inverso para composición de servicios. La configuración predeterminada de Skipper antes de la versión 0.23.0 era -lua-sources=inline,file. El problema comienza si usuarios no confiables pueden crear filtros Lua, debido a -lua-sources=inline, por ejemplo, a través de un recurso Ingress de Kubernetes. La configuración inline permite a estos usuarios crear un script que es capaz de leer el sistema de archivos accesible al proceso de Skipper y, si el usuario tiene acceso para leer los registros, puede leer los secretos de Skipper. Esta vulnerabilidad se corrige en la versión 0.23.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"},{"lang":"en","value":"CWE-250"},{"lang":"en","value":"CWE-522"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:zalando:skipper:*:*:*:*:*:*:*:*","versionEndExcluding":"0.23.0","matchCriteriaId":"B0D14C02-AFA2-4DFF-BFE2-65B34B7B0F81"}]}]}],"references":[{"url":"https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/zalando/skipper/releases/tag/v0.23.0","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory","Mitigation"]}]}}]}