Security
- Fixed an issue in the
http_challengeserver node attestor plugin which allowed an attacker to make an SSRF attack. The attacker could potentially redirect the server to a domain that they wouldn't normally have access to. spire-server would make an unauthenticated GET request to that domain and return the first 64 bytes of the response to the attacker. Thank you, Oleh Konko (@1seal) for reporting this isuse. - Fixed an issue in the
x509popserver node attestor plugin which allowed an attacker to make spire-server consume large and disproportionate amounts of CPU time for the node attestation process. Thank you Jakub Ciolek for reporting this issue.