{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29954", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T18:42:18.548Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T16:25:36.231Z"}, "descriptions": [{"lang": "en", "value": "In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gist.github.com/b0b0haha/33baea60fd2a847f11f1fb02e43c64c0"}, {"url": "https://github.com/b0b0haha/CVE-2026-29954/blob/main/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-88", "lang": "en", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:40:31.139944Z", "id": "CVE-2026-29954", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:42:18.548Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29954", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T18:40:31.139944Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:39:20.851Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://gist.github.com/b0b0haha/33baea60fd2a847f11f1fb02e43c64c0"}, {"url": "https://github.com/b0b0haha/CVE-2026-29954/blob/main/README.md"}], "descriptions": [{"lang": "en", "value": "In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T16:25:36.231Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29954", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:42:18.548Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-30T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudark:kubeplus:4.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "C0807B33-5182-4003-A830-0D8F9633C3A1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's `--header` option to achieve arbitrary HTTP header injection."}, {"lang": "es", "value": "En KubePlus 4.1.4, los componentes mutating webhook y kubeconfiggenerator tienen una vulnerabilidad SSRF al procesar el campo chartURL de los recursos ResourceComposition. El campo solo est\u00e1 codificado en URL sin validar la direcci\u00f3n de destino. M\u00e1s cr\u00edticamente, cuando kubeconfiggenerator utiliza wget para descargar charts, la chartURL se concatena directamente en el comando, permitiendo a los atacantes inyectar la opci\u00f3n --header de wget para lograr la inyecci\u00f3n arbitraria de encabezados HTTP."}], "id": "CVE-2026-29954", "lastModified": "2026-04-06T15:51:33.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T17:16:15.867", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://gist.github.com/b0b0haha/33baea60fd2a847f11f1fb02e43c64c0"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/b0b0haha/CVE-2026-29954/blob/main/README.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}, {"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.1.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "kubeplus", "vendor": "cloud-ark"}], "analysis": {"en": {"generated_at": "2026-04-06T19:58:09.580176+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest supported KubePlus version that resolves the SSRF and header injection flaw.", "If an upgrade is not yet available, restrict the webhook to allow chartURL entries only from a whitelist of trusted registries.", "Disable or remove the kubeconfiggenerator component if it is not essential.", "Implement network segmentation or firewall rules to block outbound traffic from the KubePlus server to external hosts.", "Monitor API server logs for unusual ResourceComposition creations that contain suspicious chartURL values."], "summary": {"action": "Apply Patch", "impact": "SSRF & HTTP Header Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the KubePlus 4.1.4 distribution provided by CloudArk. No other vendors or product versions are listed as impacted, so the scope is limited to installations running this specific release.", "description_and_impact": "An SSRF vulnerability exists in the mutating webhook and kubeconfiggenerator components of KubePlus version 4.1.4 when processing the chartURL field in ResourceComposition resources. The field is only URL\u2011encoded, with no validation of the target address. In addition, the kubeconfiggenerator builds a wget command by directly concatenating the chartURL value, allowing attackers to inject wget\u2019s --header option and perform arbitrary HTTP header injection, which may subvert authentication or other security controls. The weakness corresponds to CWE\u201188 (Unvalidated Redirects and Forwards) and CWE\u2011918 (Server Side Request Forgery).", "risk_and_exploitability": "The CVSS score of 7.6 indicates high severity, while an EPSS score of less than 1% suggests a low current likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires only a crafted ResourceComposition object containing an unvalidated chartURL value, which a remote attacker could supply via the API server. The likely attack vector is remote through the Kubernetes API, enabling the attacker to force the server to perform requests to arbitrary URLs and inject custom HTTP headers, potentially exposing internal resources or facilitating credential theft."}}}}, "created": "2026-03-30T20:56:28.781292+00:00", "updated": "2026-04-07T08:08:49.451346+00:00", "vendors": ["cloud-ark", "cloud-ark$PRODUCT$kubeplus"]}