ghsa-5wj4-wffq-3378
Vulnerability from github
Issue Details
A security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object (in the networking.k8s.io or extensions API group) can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2023-5043.
Affected Components and Configurations
This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running kubectl get po -n ingress-nginx.
If you are running the “chrooted” ingress-nginx controller introduced in v1.2.0 (gcr.io/k8s-staging-ingress-nginx/controller-chroot), command execution is possible but credential extraction is not, so the High severity does not apply.
Multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
Affected Versions
<v1.9.0
Versions allowing mitigation
v1.9.0
Mitigation
Ingress Administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.
Detection
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details
See ingress-nginx Issue #10571 for more details.
Acknowledgements
This vulnerability was reported by suanve
Thank You, CJ Cullen on behalf of the Kubernetes Security Response Committee
{ "affected": [ { "package": { "ecosystem": "Go", "name": "k8s.io/ingress-nginx" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.9.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-5043" ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-74" ], "github_reviewed": true, "github_reviewed_at": "2023-11-03T19:13:55Z", "nvd_published_at": "2023-10-25T20:15:18Z", "severity": "HIGH" }, "details": "### Issue Details\nA security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object (in the networking.k8s.io or extensions API group) can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.\n\nThis issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2023-5043.\n\n### Affected Components and Configurations\nThis bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running kubectl get po -n ingress-nginx.\n\nIf you are running the \u201cchrooted\u201d ingress-nginx controller introduced in v1.2.0 (gcr.io/k8s-staging-ingress-nginx/controller-chroot), command execution is possible but credential extraction is not, so the High severity does not apply.\n\nMulti-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.\n\n#### Affected Versions\n\u003cv1.9.0\n#### Versions allowing mitigation\nv1.9.0\n### Mitigation\nIngress Administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.\n\n### Detection\nIf you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io\n\n### Additional Details\nSee ingress-nginx Issue [#10571](https://github.com/kubernetes/ingress-nginx/issues/10571) for more details.\n\n### Acknowledgements\nThis vulnerability was reported by suanve\n\nThank You,\nCJ Cullen on behalf of the Kubernetes Security Response Committee", "id": "GHSA-5wj4-wffq-3378", "modified": "2023-11-03T19:13:55Z", "published": "2023-10-25T21:30:33Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5043" }, { "type": "WEB", "url": "https://github.com/kubernetes/ingress-nginx/issues/10571" }, { "type": "WEB", "url": "https://groups.google.com/g/kubernetes-security-announce/c/pVsXsOpxYZo" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/25/4" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "type": "CVSS_V3" } ], "summary": "Ingress nginx annotation injection causes arbitrary command execution" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.