Multiple vulnerabilities in ingress-Nginx (Score 9.8)

OK it requires access to the pod network. Bad, but not <i>that</i>. Here’s the 9.8: <a href="https:&#x2F;&#x2F;github.com&#x2F;kubernetes&#x2F;kubernetes&#x2F;issues&#x2F;131009" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;kubernetes&#x2F;kubernetes&#x2F;issues&#x2F;131009</a>

I am a little confused about the comment section about this being overblown, it really isn&#x27;t. Ignore all the comments in this post and fix this ASAP.<p>Here&#x27;s a simple test:<p>`kubectl exec -it` a pod:<p>curl -k --fail <a href="https:&#x2F;&#x2F;ingress-nginx-controller-admission.ingress-nginx.svc.cluster.local" rel="nofollow">https:&#x2F;&#x2F;ingress-nginx-controller-admission.ingress-nginx.svc...</a><p>If you see 400 Bad Request, that means this pod has access to the admission controller.<p>How easy would it be to find an avenue to make a request to the admission controller for anything running on your k8s cluster? (maybe your service takes any kind of URL and makes a request on your server...there&#x27;s infinite possibilities of exploiting this.)<p>I am rethinking my choice in using ingress-nginx entirely, perhaps it&#x27;s time to find a simpler solution that has more secure defaults.

These seems overblown since because configuring your ingress controllers and annotating your pods is like &quot;I copy and pasted bash | sudo&quot; but controllers in k8s are a totally insane pattern so I guess any of them could steal&#x2F;do a lot of evil, really.

Resolved in ingress-nginx v1.11.5&#x2F;v1.12.1 neither of which seem to have been released yet.

That&#x27;s quite a terrifying CVE.<p>&gt; Multiple issues have been discovered in ingress-nginx that can result in arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)<p>Beyond that, it could likely be used to sniff out client secrets from other connections as well if the attacker is sophisticated enough.

&gt; January 9, 2025 – Kubernetes proposed a fix for CVE-2025-1097.<p>&gt; January 10, 2025 – Wiz Research reported a bypass for the proposed fix for CVE-2025-1097.<p>&gt; January 12, 2025 – Kubernetes proposed a fix for CVE-2025-1974.<p>&gt; January 16, 2025 – Wiz Research reported a bypass for the proposed fix for CVE-2025-1974.<p>&gt; January 20, 2025 – Kubernetes proposed a fix for CVE-2025-24513.<p>&gt; January 21, 2025 – Wiz Research reported a bypass for the proposed fix for CVE-2025-24513.<p>Lol, lmao even. [1]<p>[1]: <a href="https:&#x2F;&#x2F;www.wiz.io&#x2F;blog&#x2F;ingress-nginx-kubernetes-vulnerabilities" rel="nofollow">https:&#x2F;&#x2F;www.wiz.io&#x2F;blog&#x2F;ingress-nginx-kubernetes-vulnerabili...</a>

4x “stuff dumped into a configuration file verbatim”<p>1x “just run the code, CJ”

“unauthenticated attacker with access to the pod network” &#x2F;yawn