Three high-severity security vulnerabilities have been exposed in the NGINX Ingress controller for Kubernetes, which pose a risk of secret credential theft. The vulnerabilities include:
- CVE-2022-4886 (CVSS score: 8.8) - Bypassing path sanitization to acquire ingress-nginx controller credentials.
- CVE-2023-5043 (CVSS score: 7.6) - Enabling arbitrary command execution through ingress-nginx annotation injection.
- CVE-2023-5044 (CVSS score: 7.6) - Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, noted that these vulnerabilities could empower an attacker controlling the Ingress object configuration to pilfer secret credentials, especially referring to CVE-2023-5043 and CVE-2023-5044. Successful exploitation could lead to arbitrary code injection into the ingress controller process, resulting in unauthorized access to sensitive data.
Read the full article
0 Comments