Ingress-nginx `path` sanitization can be bypassed with newline character
CVE-2021-25748
7.6HIGH
What is CVE-2021-25748?
A security vulnerability has been identified in ingress-nginx that allows an authenticated user to exploit newline characters in the spec.rules[].http.paths[].path
field of an Ingress object. This manipulation can circumvent existing sanitization measures, enabling the unauthorized retrieval of the ingress-nginx controller's credentials, which by default possess access to all secrets within the Kubernetes cluster. This flaw poses a significant risk as it could lead to unauthorized access to sensitive information and requires immediate attention to mitigate potential exploitation.
Affected Version(s)
Kubernetes ingress-nginx < 1.2.1