CVE-2021-25742

Summary

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetes ingress-nginxunspecified <= 0.49.0affected
KubernetesKubernetes ingress-nginxnext of 0.49.0 < unspecifiedunknown
KubernetesKubernetes ingress-nginxunspecified <= 1.0.0affected
KubernetesKubernetes ingress-nginxnext of 1.0.0 < unspecifiedunknown

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation

Workarounds

This can be mitigated by disallowing snippet annotations on a supported version. Refer to https://github.com/kubernetes/ingress-nginx/issues/7837 for instructions.

ADP Enrichment

CVE Program Container

Additional References

References