Bug 1199373 - (CVE-2021-25746) VUL-0: CVE-2021-25746: nginx-ingress-controller: directive injection via annotations
(CVE-2021-25746)
VUL-0: CVE-2021-25746: nginx-ingress-controller: directive injection via anno...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/329930/
CVSSv3.1:SUSE:CVE-2021-25746:7.6:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-10 07:29 UTC by Hu
Modified: 2022-06-07 10:05 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-05-10 07:29:01 UTC
rh#2076618

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use `.metadata.annotations` in an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get po -n ingress-nginx`. Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2076618
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25746
https://seclists.org/oss-sec/2022/q2/56
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25746
http://www.cvedetails.com/cve/CVE-2021-25746/
https://github.com/kubernetes/ingress-nginx/issues/8503
https://groups.google.com/g/kubernetes-security-announce/c/hv2-SfdqcfQ
Comment 2 Thomas Leroy 2022-06-07 10:05:33 UTC
It seems that we only ship ingress-nginx-controller in CaaSP:4.5, which is EOL. Closing