Araştırmalara Dön
Platform Exploits

Account Hijacking and Internal Network Attacks in Kubeflow

Eresus Security Research TeamGüvenlik Araştırmacısı
14 Eylül 2024
1 dk okuma

Overview

Kubeflow often runs high-privilege notebooks. An unauthenticated API bypass or Server-Side Request Forgery (SSRF) present in MLflow / Kubeflow can give attackers full access to the underlying Kubernetes nodes and cloud metadata service (IMDS).

Remediation

Implement strict OIDC authentication for Kubeflow. Block container access to cloud IMDS endpoints via NetworkPolicies.