![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[DEALS] The Premium Learn to Code Certification Bundle (97% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
.webp?#)
![Apple Considers Delaying Smart Home Hub Until 2026 [Gurman]](https://www.iclarified.com/images/news/96946/96946/96946-640.jpg)
![iPhone 17 Pro Won't Feature Two-Toned Back [Gurman]](https://www.iclarified.com/images/news/96944/96944/96944-640.jpg)
![Tariffs Threaten Apple's $999 iPhone Price Point in the U.S. [Gurman]](https://www.iclarified.com/images/news/96943/96943/96943-640.jpg)
CVE-2023-5043 & CVE-2024-7646: Ingress NGINX Security Vulnerabilities
Originally published at ssojet A significant security vulnerability has been identified in ingress-nginx involving the nginx.ingress.kubernetes.io/permanent-redirect annotation. This vulnerability allows the injection of arbitrary commands, potentially compromising the credentials of the ingress-nginx controller, which in default configurations can access all secret data within the Kubernetes cluster. The issue has been rated as High severity with a CVSS score of 7.6. Affected Components and Configurations The vulnerability specifically affects ingress-nginx versions prior to v1.9.0. Users can verify the installation by executing kubectl get po -n ingress-nginx. The "chrooted" ingress-nginx controller, introduced in v1.2.0, allows command execution without credential extraction, thus mitigating the risk for those using this configuration. Mitigation Strategies To mitigate this vulnerability, it is recommended that ingress administrators enable the --enable-annotation-validation flag to restrict the contents of ingress-nginx annotation fields. If exploitation is suspected, contact security@kubernetes.io for immediate assistance. For further information, refer to the original GitHub issue. CVE-2023-5043: Ingress nginx Annotation Injection Another critical vulnerability has been reported in ingress-nginx, identified as CVE-2023-5043. This issue arises from the nginx.ingress.kubernetes.io/configuration-snippet annotation, which also allows for command injection and credential access to the ingress-nginx controller. Severity and Impact The vulnerability has a CVSS score of 7.6, indicating it poses a high risk to multi-tenant environments where non-admin users can create Ingress objects. Users should check their ingress-nginx version with kubectl get po -n ingress-nginx to assess risk. Recommended Actions To safeguard against this vulnerability, administrators should implement the same mitigation strategies as for CVE-2023-5044. Specifically, enforcing annotation validation through the --enable-annotation-validation flag is crucial. Reports of any potential exploitation should be directed to security@kubernetes.io. For more details, see the GitHub advisory. CVE-2024-7646: Ingress-NGINX Annotation Validation Bypass A new vulnerability, CVE-2024-7646, allows attackers with permissions to create Ingress objects to bypass annotation validation, potentially injecting arbitrary commands and compromising cluster security. Understanding the Vulnerability Ingress-nginx is a widely used Kubernetes ingress controller that facilitates external access to services. This vulnerability affects all ingress-nginx controller versions below v1.11.2. Attackers can exploit this flaw to gain unauthorized access to sensitive resources within the cluster. Exploitation Risks The exploitation scenario includes creating malicious Ingress objects with specially crafted annotations that bypass validation. This could lead to command injection, XSS attacks, and unauthorized access to sensitive data. Mitigation Steps Upgrade ingress-nginx to version v1.11.2 or above. Audit existing Ingress objects for suspicious annotations. Implement strict RBAC policies to limit permissions for creating Ingress objects. Enable Kubernetes audit logging for detecting exploitation attempts. For more in-depth information, refer to the official GitHub pull request. For enterprises prioritizing security in their identity and access management, SSOJet offers solutions like secure Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Passkey management. Ensure your Kubernetes clusters are secure by leveraging SSOJet's API-first platform, which includes directory sync, SAML, OIDC, and magic link authentication. Explore our services or contact us at SSOJet for more information.
Originally published at ssojet
A significant security vulnerability has been identified in ingress-nginx involving the nginx.ingress.kubernetes.io/permanent-redirect annotation. This vulnerability allows the injection of arbitrary commands, potentially compromising the credentials of the ingress-nginx controller, which in default configurations can access all secret data within the Kubernetes cluster. The issue has been rated as High severity with a CVSS score of 7.6.
Affected Components and Configurations
The vulnerability specifically affects ingress-nginx versions prior to v1.9.0. Users can verify the installation by executing kubectl get po -n ingress-nginx. The "chrooted" ingress-nginx controller, introduced in v1.2.0, allows command execution without credential extraction, thus mitigating the risk for those using this configuration.
Mitigation Strategies
To mitigate this vulnerability, it is recommended that ingress administrators enable the --enable-annotation-validation flag to restrict the contents of ingress-nginx annotation fields. If exploitation is suspected, contact security@kubernetes.io for immediate assistance.
For further information, refer to the original GitHub issue.
CVE-2023-5043: Ingress nginx Annotation Injection
Another critical vulnerability has been reported in ingress-nginx, identified as CVE-2023-5043. This issue arises from the nginx.ingress.kubernetes.io/configuration-snippet annotation, which also allows for command injection and credential access to the ingress-nginx controller.
Severity and Impact
The vulnerability has a CVSS score of 7.6, indicating it poses a high risk to multi-tenant environments where non-admin users can create Ingress objects. Users should check their ingress-nginx version with kubectl get po -n ingress-nginx to assess risk.
Recommended Actions
To safeguard against this vulnerability, administrators should implement the same mitigation strategies as for CVE-2023-5044. Specifically, enforcing annotation validation through the --enable-annotation-validation flag is crucial. Reports of any potential exploitation should be directed to security@kubernetes.io.
For more details, see the GitHub advisory.
CVE-2024-7646: Ingress-NGINX Annotation Validation Bypass
A new vulnerability, CVE-2024-7646, allows attackers with permissions to create Ingress objects to bypass annotation validation, potentially injecting arbitrary commands and compromising cluster security.
Understanding the Vulnerability
Ingress-nginx is a widely used Kubernetes ingress controller that facilitates external access to services. This vulnerability affects all ingress-nginx controller versions below v1.11.2. Attackers can exploit this flaw to gain unauthorized access to sensitive resources within the cluster.
Exploitation Risks
The exploitation scenario includes creating malicious Ingress objects with specially crafted annotations that bypass validation. This could lead to command injection, XSS attacks, and unauthorized access to sensitive data.
Mitigation Steps
- Upgrade ingress-nginx to version v1.11.2 or above.
- Audit existing Ingress objects for suspicious annotations.
- Implement strict RBAC policies to limit permissions for creating Ingress objects.
- Enable Kubernetes audit logging for detecting exploitation attempts.
For more in-depth information, refer to the official GitHub pull request.
For enterprises prioritizing security in their identity and access management, SSOJet offers solutions like secure Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Passkey management. Ensure your Kubernetes clusters are secure by leveraging SSOJet's API-first platform, which includes directory sync, SAML, OIDC, and magic link authentication.
Explore our services or contact us at SSOJet for more information.
