diff --git a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx index 2f04428e89..743b7dcc57 100644 --- a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx @@ -204,4 +204,6 @@ more details, and information about opt-out. @include 'known-issues/sync-activation-flags-cache-not-updated.mdx' +@include 'known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx' + @include 'known-issues/duplicate-hsm-key.mdx' diff --git a/website/content/partials/known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx b/website/content/partials/known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx new file mode 100644 index 0000000000..dc0408fc39 --- /dev/null +++ b/website/content/partials/known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx @@ -0,0 +1,21 @@ +### Secrets Sync SSRF Protection May Block Private Endpoints + +As of version 1.17.3, Vault's Secrets Sync includes additional Server-Side Request Forgery (SSRF) protection measures. This security enhancement prevents sync operations to certain IP ranges by introducing a new SSRF-safe HTTP client. The client specifically blocks requests to private IP ranges (such as 10.0.0.0/8), which affects users accessing cloud provider secret stores through private endpoints. + +**Impact:** +- Secrets Sync operations to private IP ranges will be blocked +- Affects all destinations when accessed via private endpoints + +**Example error message:** + + + +```plaintext +couldn't sync secret with store: failed to publish event: dial tcp [IP]: prohibited IP address: [IP] is not a permitted destination (denied by: 10.0.0.0/8) +``` + + + +**Current Workaround:** +1. Remain on Vault version 1.17.2 or earlier if you require Secrets Sync with private endpoints +2. Use public endpoints for your secret store services