hashicorp · yhyakuna · Dec 13, 2024 · Dec 13, 2024 · Dec 13, 2024
@@ -203,3 +203,5 @@ more details, and information about opt-out.
 @include 'known-issues/aws-auth-external-id.mdx'
 
 @include 'known-issues/sync-activation-flags-cache-not-updated.mdx'
+
+@include 'known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx'
@@ -0,0 +1,21 @@
+### Secrets Sync SSRF Protection May Block Private Endpoints
+
+As of version 1.17.3, Vault's Secrets Sync includes additional Server-Side Request Forgery (SSRF) protection measures. This security enhancement prevents sync operations to certain IP ranges by introducing a new SSRF-safe HTTP client. The client specifically blocks requests to private IP ranges (such as 10.0.0.0/8), which affects users accessing cloud provider secret stores through private endpoints.
+
+**Impact:**
+- Secrets Sync operations to private IP ranges will be blocked
+- Affects all destinations when accessed via private endpoints
+
+**Example error message:**
+
+<CodeBlockConfig hideClipboard>
+
+```plaintext
+couldn't sync secret with store: failed to publish event: dial tcp [IP]: prohibited IP address: [IP] is not a permitted destination (denied by: 10.0.0.0/8)
+```
+
+</CodeBlockConfig>
+
+**Current Workaround:**
+1. Remain on Vault version 1.17.2 or earlier if you require Secrets Sync with private endpoints
+2. Use public endpoints for your secret store services
Original file line number	Diff line number	Diff line change
Expand Up		@@ -203,3 +203,5 @@ more details, and information about opt-out.
		@include 'known-issues/aws-auth-external-id.mdx'

		@include 'known-issues/sync-activation-flags-cache-not-updated.mdx'

		@include 'known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx'