1 results (0.037 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2

A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. • https://github.com/UgOrange/CVE-2024-7646-poc https://github.com/r0binak/CVE-2024-7646 https://github.com/kubernetes/ingress-nginx/pull/11719 https://github.com/kubernetes/ingress-nginx/pull/11721 https://github.com/kubernetes/kubernetes/issues/126744 https://groups.google.com/g/kubernetes-security-announce/c/a1__cKjWkfA • CWE-20: Improper Input Validation •