CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-5044 – Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation
https://notcve.org/view.php?id=CVE-2023-5044
Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation. Inyección de código a través de la anotación nginx.ingress.kubernetes.io/permanent-redirect. • https://github.com/r0binak/CVE-2023-5044 https://github.com/KubernetesBachelor/CVE-2023-5044 http://www.openwall.com/lists/oss-security/2023/10/25/3 https://github.com/kubernetes/ingress-nginx/issues/10572 https://groups.google.com/g/kubernetes-security-announce/c/ukuYYvRNel0 https://security.netapp.com/advisory/ntap-20240307-0012 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5043 – Ingress nginx annotation injection causes arbitrary command execution
https://notcve.org/view.php?id=CVE-2023-5043
Ingress nginx annotation injection causes arbitrary command execution. La inyección de anotaciones de Ingress nginx provoca la ejecución de comandos arbitrarios. • https://github.com/r0binak/CVE-2023-5043 http://www.openwall.com/lists/oss-security/2023/10/25/4 https://github.com/kubernetes/ingress-nginx/issues/10571 https://groups.google.com/g/kubernetes-security-announce/c/pVsXsOpxYZo https://security.netapp.com/advisory/ntap-20240307-0012 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4886 – Ingress-nginx `path` sanitization can be bypassed with `log_format` directive
https://notcve.org/view.php?id=CVE-2022-4886
Ingress-nginx `path` sanitization can be bypassed with `log_format` directive. La sanitización del parámetro `path` de Ingress-nginx se puede omitir con la directiva `log_format`. • http://www.openwall.com/lists/oss-security/2023/10/25/5 https://github.com/kubernetes/ingress-nginx/issues/10570 https://groups.google.com/g/kubernetes-security-announce/c/ge7u3qCwZLI https://security.netapp.com/advisory/ntap-20240307-0013 • CWE-20: Improper Input Validation •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25748 – Ingress-nginx `path` sanitization can be bypassed with newline character
https://notcve.org/view.php?id=CVE-2021-25748
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. • https://github.com/kubernetes/ingress-nginx/issues/8686 https://groups.google.com/g/kubernetes-security-announce/c/avaRYa9c7I8 • CWE-20: Improper Input Validation •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25746 – Ingress-nginx directive injection via annotations
https://notcve.org/view.php?id=CVE-2021-25746
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. Se ha detectado un problema de seguridad en ingress-nginx en el que un usuario que puede crear o actualizar objetos ingress puede usar .metadata.annotations en un objeto Ingress (en el grupo networking.k8s.io o extensions API) para obtener las credenciales del controlador ingress-nginx. En la configuración por defecto, esa credencial presenta acceso a todos los secretos del clúster • https://github.com/kubernetes/ingress-nginx/issues/8503 https://groups.google.com/g/kubernetes-security-announce/c/hv2-SfdqcfQ https://security.netapp.com/advisory/ntap-20220609-0006 • CWE-20: Improper Input Validation •