A vulnerability was found in Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility to the API port. 


Cryostat's HTTP API binds to 0.0.0.0, potentially  allowing external connections to the API port (8181). The Cryostat container is placed into a Pod with an openshift-oauth-proxy container,  which is designed to hide the Cryostat HTTP API behind HTTPS and OpenShift OAuth authn/authz. The Cryostat API port is not exposed on any Service or Route, so it is not exposed externally to the cluster.

Cryostat release version 4.0.0 also creates Network Policy objects by default which control the network Ingresses. This effectively prevents the exposed API port from being reached by unexpected clients. However, if the underlying cluster network stack does not support Network Policies, or if the user who installed Cryostat configured its Custom Resource to explicitly disable Network Policies, then this layer of protection is ineffective.

Under these conditions, it becomes possible for an attacker within the cluster to determine the internal Pod IP of the Cryostat container and sent HTTP requests directly to its API port, bypassing the openshift-oauth-proxy completely, so no authn/authz is required.