Information Disclosure via X-Kubernetes-PF-PriorityLevel-UID Header
Description
The 'X-Kubernetes-PF-PriorityLevel-UID' header reveals information about Kubernetes request priority levels, potentially disclosing how traffic is categorized and managed within the cluster. Attackers who learn these details may target or manipulate the cluster’s traffic shaping or queueing mechanisms, leading to denial-of-service exploits or privilege escalation attempts. By exposing the UID of a particular PriorityLevel, malicious actors can better understand the internal flow control configuration, potentially crafting requests that exploit trust or policy assumptions. Ultimately, leaking this header increases the cluster’s attack surface and undermines the security-by-obscurity provided by obscuring Kubernetes internals.
Remediation
Remove or obfuscate the 'X-Kubernetes-PF-PriorityLevel-UID' header in production environments. Configure your Kubernetes ingress, reverse proxy, or load balancer to drop or sanitize headers that expose traffic management details. Keep Kubernetes flow control objects (FlowSchema, PriorityLevelConfiguration) updated and aligned with best practices for authentication and least privilege. Consider deploying a Web Application Firewall (WAF) or intrusion detection system to monitor suspicious traffic that attempts to exploit or manipulate cluster prioritization. Regularly review logs and cluster configurations to confirm no sensitive or environment-specific data is inadvertently exposed in HTTP headers.
References
https://kubernetes.io/docs/concepts/cluster-administration/flow-control/https://owasp.org/www-community/attacks/Information_exposureSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.3
5.3