Multiple Vulnerabilities in NGINX Ingress Controller
Components Affected
- NGINX prior to version 1.19
Overview
Multiple vulnerabilities have been identified in in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster.
Description
NGINX Ingress Controller for Kubernetes has several vulnerabilities which are described by their CVE number below:
- CVE-2022-4886 – Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller.
- CVE-2023-5043 – Ingress-nginx annotation injection causes arbitrary command execution.
- CVE-2023-5044 – Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
Impact
- Remote Code Execution
- Security Restriction Bypass
Solution/ Workarounds
Apply fixes issued by the vendor by updating to the latest versions mentioned below:
- Update NGINX to version 1.19
Reference
Disclaimer
The information provided herein is on an “as is” basis, without warranty of any kind.
தொடர்பு கொள்ளுங்கள்
-
The decision we make about Cyber Security today will determine the
kind of society we live tomorrow.
Total Users : 228411
© Sri Lanka CERT|CC 2024. All rights Reserved.
Designed and Developed by Procons Infotech
Skip to content
Designed and Developed by Procons Infotech