Information Disclosure via X-Kubernetes-PF-FlowSchema-UI Header

Description

The 'X-Kubernetes-PF-FlowSchema-UI' header can reveal information about Kubernetes flow schema configurations and priority levels for requests in the cluster. Attackers who discover these details may perform reconnaissance on how traffic is managed or prioritized, potentially letting them craft requests that manipulate the scheduling or quality-of-service mechanisms in place. Disclosing Kubernetes-specific headers can also lead to targeted exploitation of known issues, misconfigurations, or default settings related to flow control. Ultimately, leaking such internal cluster data broadens the application’s attack surface, enabling malicious actors to refine their strategies for denial of service, privilege escalation, or traffic hijacking.

Remediation

Remove or mask the 'X-Kubernetes-PF-FlowSchema-UI' header in production environments. Configure your Kubernetes ingress, reverse proxy, or load balancer to avoid exposing internal flow schema headers. Keep your Kubernetes version and configurations up to date with security patches, and review FlowSchema and PriorityLevelConfiguration objects to ensure they adhere to the principle of least privilege. Employ a Web Application Firewall (WAF) or network intrusion detection system to detect requests attempting to exploit flow control policies. Regularly audit cluster configurations, logs, and headers to confirm that internal scheduling or traffic management details remain confidential.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification