Bug 2420964 (CVE-2025-14443)

Summary: CVE-2025-14443 ose-openshift-apiserver: OpenShift API Server: Server-Side Request Forgery (SSRF) vulnerability in ImageStreamImport mechanism
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range validation when processing user-supplied image references.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-10 13:28:00 UTC 
Server-Side Request Forgery (SSRF) vulnerability in the OpenShift API server ImageStreamImport mechanism. The flaw is caused by missing IP address and network-range validation when processing user-supplied image references. During an ImageStreamImport request, the API server constructs outbound HTTP requests to retrieve image manifests without validating whether the resolved destination belongs to loopback, link-local, RFC1918 private networks, or cluster service CIDRs. As a result, an authenticated user with image import permissions can trigger network connections to internal services such as the Kubernetes API server, cloud metadata endpoints, or localhost-only services. This behavior enables internal network enumeration, service discovery, limited information disclosure via HTTP responses, and potential denial-of-service through excessive connection attempts.