CVE-2021-25748 — Vulnetix

CVE-2021-25748 PUBLISHED

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

EPSS 0.07% · 22.3th percentile

Risk Scores

EPSS Score

0.07%

22.3th percentile

Affected Products

Vendor	Product	Versions
Bitnami	nginx-ingress-controller	0
Bitnami	nginx-ingress-controller	0

Timeline

CVE Published
May 25, 2023 EPSS Score
Jun 30, 2023 EPSS Score
Aug 5, 2023 EPSS Score
Sep 11, 2023 EPSS Score
Oct 17, 2023 EPSS Score
Nov 22, 2023 EPSS Score
Dec 28, 2023 EPSS Score
Feb 2, 2024 EPSS Score
Mar 9, 2024 EPSS Score
Apr 15, 2024 EPSS Score
May 21, 2024 EPSS Score

References

https://github.com/kubernetes/ingress-nginx/issues/8686 url
https://groups.google.com/g/kubernetes-security-announce/c/avaRYa9c7I8 url
https://nvd.nist.gov/vuln/detail/CVE-2021-25748 url

Open in Interactive Console →