In KubePlus 4.1.4, the mutating webhook and kubeconfiggenerator components have an SSRF vulnerability when processing the chartURL field of ResourceComposition resources. The field is only URL-encoded without validating the target address. More critically, when kubeconfiggenerator uses wget to download charts, the chartURL is directly concatenated into the command, allowing attackers to inject wget's --header option to achieve arbitrary HTTP header injection.
Exploitability
AV:NAC:LPR:HUI:NScope
S:CImpact
C:HI:LA:N7.6/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N