Ingress-nginx directive injection via annotations
CVE-2021-25746

7.6HIGH

Key Information:

Vendor: Kubernetes
Status: Kubernetes Ingress-nginx
Vendor: CVE Published:; 6 May 2022

🔔 Create Kubernetes Vulnerability Alert

What is CVE-2021-25746?

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Affected Version(s)

Kubernetes ingress-nginx < 1.2.0

References

https://groups.google.com/g/kubernetes-security-announce/...

x_refsource_MISC

https://github.com/kubernetes/ingress-nginx/issues/8503

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220609-0006/

x_refsource_CONFIRM

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2022
Vulnerability Reserved
Jan 21, 2021

Credit

Anthony Weems

jeffrey&oliver

.