Skip to content

CVE-2024-7646: Ingress-nginx Annotation Validation Bypass #126744

New issue
New issue
Closed
adfinis/helm-charts
#1299
Closed
CVE-2024-7646: Ingress-nginx Annotation Validation Bypass#126744
adfinis/helm-charts
#1299
Labels
area/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@cji

Description

@cji
cji
opened on Aug 16, 2024

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the networking.k8s.io or extensions API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

This issue has been rated High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and assigned CVE-2024-7646.

Am I vulnerable?

This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running kubectl get po -A and looking for ingress-nginx-controller.

Multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.

Affected Versions

ingress-nginx controller < v1.11.2
ingress-nginx controller < v1.10.4

How do I mitigate this vulnerability?

This issue can be mitigated by upgrading to the fixed version.

Fixed Versions

ingress-nginx controller v1.11.2 - fixed by kubernetes/ingress-nginx#11719 and kubernetes/ingress-nginx#11721
ingress-nginx controller v1.10.4 - fixed by kubernetes/ingress-nginx#11718 and kubernetes/ingress-nginx#11722

Detection

Review your Kubernetes audit logs for Ingress objects created with annotations (e.g. nginx.ingress.kubernetes.io/auth-tls-verify-client) that contain carriage returns (\r).

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Additional Details

See the GitHub issue for more details:
#126744

Acknowledgements

This vulnerability was reported by André Storfjord Kristiansen @dev-bio.

The issue was fixed and coordinated by the fix team:
André Storfjord Kristiansen @dev-bio
Jintao Zhang @tao12345666333
Marco Ebert @Gacko

/triage accepted
/lifecycle frozen
/area security
/kind bug
/committee security-response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)triage/acceptedIndicates an issue or PR is ready to be actively worked on.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions