A namespace-scoped cert-manager tenant with `create` permissions for `Issuer` and `Secret` resources can exploit a reflected SSRF vulnerability in cert-manager versions v1.15-v1.17+main. This allows the tenant to force the cert-manager controller to make outbound HTTP requests to arbitrary URLs specified in the `Issuer.spec.vault.server` field and read the response via `Issuer.status.conditions[Ready].message`. The vulnerability enables a low-privileged user to exfiltrate internal service data (e.g., Kubernetes API, Vault, EC2 metadata) and steal secrets via the `X-Vault-Token` header.
| Vendor | Product | Versions |
|---|---|---|
| jetstack | cert-manager | v1.15 - v1.17+main |