ghsa-5wj4-wffq-3378
Vulnerability from github
Published
2023-10-25 21:30
Modified
2023-11-03 19:13
Summary
Ingress nginx annotation injection causes arbitrary command execution
Details

Issue Details

A security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object (in the networking.k8s.io or extensions API group) can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2023-5043.

Affected Components and Configurations

This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running kubectl get po -n ingress-nginx.

If you are running the “chrooted” ingress-nginx controller introduced in v1.2.0 (gcr.io/k8s-staging-ingress-nginx/controller-chroot), command execution is possible but credential extraction is not, so the High severity does not apply.

Multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.

Affected Versions

<v1.9.0

Versions allowing mitigation

v1.9.0

Mitigation

Ingress Administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.

Detection

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Additional Details

See ingress-nginx Issue #10571 for more details.

Acknowledgements

This vulnerability was reported by suanve

Thank You, CJ Cullen on behalf of the Kubernetes Security Response Committee

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/ingress-nginx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-5043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-03T19:13:55Z",
    "nvd_published_at": "2023-10-25T20:15:18Z",
    "severity": "HIGH"
  },
  "details": "### Issue Details\nA security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object (in the networking.k8s.io or extensions API group) can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.\n\nThis issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2023-5043.\n\n### Affected Components and Configurations\nThis bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running kubectl get po -n ingress-nginx.\n\nIf you are running the \u201cchrooted\u201d ingress-nginx controller introduced in v1.2.0 (gcr.io/k8s-staging-ingress-nginx/controller-chroot), command execution is possible but credential extraction is not, so the High severity does not apply.\n\nMulti-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.\n\n#### Affected Versions\n\u003cv1.9.0\n#### Versions allowing mitigation\nv1.9.0\n### Mitigation\nIngress Administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.\n\n### Detection\nIf you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io\n\n### Additional Details\nSee ingress-nginx Issue [#10571](https://github.com/kubernetes/ingress-nginx/issues/10571) for more details.\n\n### Acknowledgements\nThis vulnerability was reported by suanve\n\nThank You,\nCJ Cullen on behalf of the Kubernetes Security Response Committee",
  "id": "GHSA-5wj4-wffq-3378",
  "modified": "2023-11-03T19:13:55Z",
  "published": "2023-10-25T21:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5043"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/ingress-nginx/issues/10571"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/kubernetes-security-announce/c/pVsXsOpxYZo"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/10/25/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ingress nginx annotation injection causes arbitrary command execution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.