CVE-2026-24117
MEDIUM5.3EPSS 0.02%Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL
描述
## Summary `/api/v1/index/retrieve` supports retrieving a public key via a user-provided URL, allowing attackers to trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through [Blind SSRF](https://portswigger.net/web-security/ssrf/blind). ## Impact * SSRF to cloud metadata (169.254.169.254) * SSRF to internal Kubernetes APIs * SSRF to any service accessible from Fulcio's network ## Patches Upgrade to v1.5.0. Note that this is a breaking change to the search API and fully disables lookups by URL. If you require this feature, please reach out and we can discuss alternatives. ## Workarounds Disable the search endpoint with `--enable_retrieve_api=false`.
受影響套件(3)
- Debian/rekorfrom 0
- Go/github.com/sigstore/rekorfrom 0, < 1.5.0
- Go/github.com/sigstore/rekorfrom 0, < 1.5.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-24117
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-24117
- PATCHhttps://github.com/sigstore/rekor
- WEBhttps://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f
- WEBhttps://github.com/sigstore/rekor/releases/tag/v1.5.0
- WEBhttps://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j