Bugzilla – Bug 1199373
VUL-0: CVE-2021-25746: nginx-ingress-controller: directive injection via annotations
Last modified: 2022-06-07 10:05:33 UTC
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use `.metadata.annotations` in an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get po -n ingress-nginx`. Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
It seems that we only ship ingress-nginx-controller in CaaSP:4.5, which is EOL. Closing