Multiple vulnerabilities in ingress-Nginx (Score 9.8)

by numbsafari on 3/24/2025, 9:07:37 PM with 21 comments

  • by Fizzadar on 3/24/2025, 9:24:05 PM

    OK it requires access to the pod network. Bad, but not that. Here’s the 9.8: https://github.com/kubernetes/kubernetes/issues/131009

  • by rcconf on 3/25/2025, 10:29:24 PM

    I am a little confused about the comment section about this being overblown, it really isn't. Ignore all the comments in this post and fix this ASAP.

    Here's a simple test:

    `kubectl exec -it` a pod:

    curl -k --fail https://ingress-nginx-controller-admission.ingress-nginx.svc...

    If you see 400 Bad Request, that means this pod has access to the admission controller.

    How easy would it be to find an avenue to make a request to the admission controller for anything running on your k8s cluster? (maybe your service takes any kind of URL and makes a request on your server...there's infinite possibilities of exploiting this.)

    I am rethinking my choice in using ingress-nginx entirely, perhaps it's time to find a simpler solution that has more secure defaults.

  • by liveoneggs on 3/24/2025, 9:36:23 PM

    These seems overblown since because configuring your ingress controllers and annotating your pods is like "I copy and pasted bash | sudo" but controllers in k8s are a totally insane pattern so I guess any of them could steal/do a lot of evil, really.

  • by AcidBurn on 3/24/2025, 10:03:17 PM

    Resolved in ingress-nginx v1.11.5/v1.12.1 neither of which seem to have been released yet.

  • by IlikeKitties on 3/24/2025, 9:26:50 PM

    That's quite a terrifying CVE.

    > Multiple issues have been discovered in ingress-nginx that can result in arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

    Beyond that, it could likely be used to sniff out client secrets from other connections as well if the attacker is sophisticated enough.

  • by frereit on 3/25/2025, 6:47:45 AM

    > January 9, 2025 – Kubernetes proposed a fix for CVE-2025-1097.

    > January 10, 2025 – Wiz Research reported a bypass for the proposed fix for CVE-2025-1097.

    > January 12, 2025 – Kubernetes proposed a fix for CVE-2025-1974.

    > January 16, 2025 – Wiz Research reported a bypass for the proposed fix for CVE-2025-1974.

    > January 20, 2025 – Kubernetes proposed a fix for CVE-2025-24513.

    > January 21, 2025 – Wiz Research reported a bypass for the proposed fix for CVE-2025-24513.

    Lol, lmao even. [1]

    [1]: https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabili...

  • by formerly_proven on 3/24/2025, 9:39:13 PM

    4x “stuff dumped into a configuration file verbatim”

    1x “just run the code, CJ”

  • by yimby2001 on 3/24/2025, 9:31:55 PM

    “unauthenticated attacker with access to the pod network” /yawn