You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue Details
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25746.
Affected Components and Configurations
This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running kubectl get po -n ingress-nginx.
Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
Affected Versions
• <v1.2.0
Fixed Versions
• v1.2.0-beta.0
AKS Information:
If you are running the HttpApplicationRouting addon on your AKS cluster you will be vulnerable.
Nginx-ingress-controller images of clusters with 1.22+ k8s version are going to be updated from 1.0.5 to 1.2.0
The text was updated successfully, but these errors were encountered:
Issue Details
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use
.metadata.annotations
in an Ingress object (in thenetworking.k8s.io
orextensions
API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25746.
Affected Components and Configurations
This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running
kubectl get po -n ingress-nginx
.Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
Affected Versions
• <v1.2.0
Fixed Versions
• v1.2.0-beta.0
AKS Information:
If you are running the HttpApplicationRouting addon on your AKS cluster you will be vulnerable.
Nginx-ingress-controller images of clusters with 1.22+ k8s version are going to be updated from 1.0.5 to 1.2.0
The text was updated successfully, but these errors were encountered: