CVE-2025-14443

Summary

A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range validation when processing user-supplied image references.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-918: Server-Side Request Forgery (SSRF)

Workarounds

Possible mitigations for this flaw include:

  • removing the permissions that allow users to use the ImageStreamImport feature or explicitly only allowing trusted users to access the feature.
  • explicitly set the apiserver's ImageStreamImport allow-list to trusted image registries. (i.e. oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"allowedRegistriesForImport":[{"domainName": "docker.io"}, {"domainName": "quay.io"}]}}')
  • Set the apiserver's ImageStreamImport to deny all uses. (oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"allowedRegistriesForImport":[{"domainName": "-"}]}}')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References