Bug 1200269 - (CVE-2021-25748) VUL-0: CVE-2021-25748: ingress-nginx-controller: `path` sanitization can be bypassed with newline character
(CVE-2021-25748)
VUL-0: CVE-2021-25748: ingress-nginx-controller: `path` sanitization can be b...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-07 07:30 UTC by Thomas Leroy
Modified: 2022-06-13 13:00 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-06-07 07:30:09 UTC
Issue Details

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25748.
Affected Components and Configurations

This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get po -n ingress-nginx`.

If you are running the “chrooted” ingress-nginx controller introduced in v1.2.0 (gcr.io/k8s-staging-ingress-nginx/controller-chroot), you are not affected.

Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
Affected Versions

    <v1.2.1

Fixed Versions

    v1.2.1

Mitigation

If you are unable to roll out the fix, this vulnerability can be mitigated by implementing an admission policy that restricts the `spec.rules[].http.paths[].path` field on the networking.k8s.io/Ingress resource to known safe characters (see the newly added rules, or the suggested value for annotation-value-word-blocklist).
Detection

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details

See ingress-nginx Issue #XXXX for more details.
Acknowledgements

This vulnerability was reported by Gafnit Amiga.
Comment 3 Thomas Leroy 2022-06-07 10:04:34 UTC
It seems that we only ship ingress-nginx-controller in CaaSP:4.5, which is EOL. Closing