CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25746 – Ingress-nginx directive injection via annotations
https://notcve.org/view.php?id=CVE-2021-25746
06 May 2022 — A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. Se ha detectado un problema de seguridad en ingress-nginx en el que un usuario que puede crear o actualizar objetos ingress puede usar .metadata.annotations en... • https://github.com/kubernetes/ingress-nginx/issues/8503 • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25745 – Ingress-nginx path can be pointed to service account token file
https://notcve.org/view.php?id=CVE-2021-25745
06 May 2022 — A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. Se ha detectado un problema de seguridad en ingress-nginx en el que un usuario que puede crear o actualizar objetos ingress puede usar el ca... • https://github.com/kubernetes/ingress-nginx/issues/8502 • CWE-20: Improper Input Validation •
CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 1CVE-2021-25742 – Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces
https://notcve.org/view.php?id=CVE-2021-25742
29 Oct 2021 — A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. Se ha detectado un problema de seguridad en ingress-nginx donde un usuario que puede crear o actualizar objetos de entrada puede usar la función de fragmentos personalizados para obtener todos los secretos del clúster • https://github.com/kubernetes/ingress-nginx/issues/7837 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8553 – Kubernetes ingress-nginx Compromise of auth via subset/superset namespace names
https://notcve.org/view.php?id=CVE-2020-8553
29 Jul 2020 — The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name. El componente Kubernetes ingress-nginx anterior a la versión 0.28.0, permite a un usuario crear espacios de nombres y leer y crear objetos de ingreso para sobrescribir el archivo de contraseña de otr... • https://github.com/kubernetes/ingress-nginx/issues/5126 • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1002104
https://notcve.org/view.php?id=CVE-2018-1002104
14 Jan 2020 — Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly. Las versiones anteriores a 1.5 del back-end predeterminado de ingreso de Kubernetes, que maneja el tráfico de ingreso no válido, expuso públicamente las métricas de prometeus. • https://github.com/kubernetes/ingress-nginx/pull/3125 • CWE-20: Improper Input Validation CWE-215: Insertion of Sensitive Information Into Debugging Code •