CVE-2021-25746: Ingress-nginx directive injection via annotations #2909
Labels
Comments
miwithro
added
the
resolution/answer-provided
|
Thanks for reaching out. I'm closing this issue as it was marked with "Answer Provided" and it hasn't had activity for 2 days. |
ghost
closed this as 
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Issue Details
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use
.metadata.annotationsin an Ingress object (in thenetworking.k8s.ioorextensionsAPI group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25746.
Affected Components and Configurations
This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running
kubectl get po -n ingress-nginx.Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
Affected Versions
• <v1.2.0
Fixed Versions
• v1.2.0-beta.0
AKS Information:
If you are running the HttpApplicationRouting addon on your AKS cluster you will be vulnerable.
Nginx-ingress-controller images of clusters with 1.22+ k8s version are going to be updated from 1.0.5 to 1.2.0
The text was updated successfully, but these errors were encountered: