csaf_certbund - wid-sec-w-2025-0629

WID-SEC-W-2025-0629

Vulnerability from csaf_certbund - Published: 2025-03-24 23:00 - Updated: 2025-05-13 22:00

Summary

Ingress NGINX Controller für Kubernetes: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Kubernetes ist ein Werkzeug zur Automatisierung der Bereitstellung, Skalierung und Verwaltung von containerisierten Anwendungen. Ingress NGINX Controller für Kubernetes wird häufig als Reverse Proxy und Load Balancer eingesetzt, um externen Traffic auf interne Kubernetes-Services weiterzuleiten.

Angriff

Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen im Ingress NGINX Controller für Kubernetes ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme

- Sonstiges - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Kubernetes ist ein Werkzeug zur Automatisierung der Bereitstellung, Skalierung und Verwaltung von containerisierten Anwendungen.\r\nIngress NGINX Controller f\u00fcr Kubernetes wird h\u00e4ufig als Reverse Proxy und Load Balancer eingesetzt, um externen Traffic auf interne Kubernetes-Services weiterzuleiten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen im Ingress NGINX Controller f\u00fcr Kubernetes ausnutzen, um beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0629 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0629.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0629 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0629"
      },
      {
        "category": "external",
        "summary": "Tenable Blog vom 2025-03-24",
        "url": "https://www.tenable.com/blog/cve-2025-1974-frequently-asked-questions-about-ingressnightmare-kubernetes"
      },
      {
        "category": "external",
        "summary": "Kubernetes GitHub vom 2025-03-24",
        "url": "https://github.com/kubernetes/kubernetes/issues/131005"
      },
      {
        "category": "external",
        "summary": "Kubernetes GitHub vom 2025-03-24",
        "url": "https://github.com/kubernetes/kubernetes/issues/131006"
      },
      {
        "category": "external",
        "summary": "Kubernetes GitHub vom 2025-03-24",
        "url": "https://github.com/kubernetes/kubernetes/issues/131007"
      },
      {
        "category": "external",
        "summary": "Kubernetes GitHub vom 2025-03-24",
        "url": "https://github.com/kubernetes/kubernetes/issues/131008"
      },
      {
        "category": "external",
        "summary": "Kubernetes GitHub vom 2025-03-24",
        "url": "https://github.com/kubernetes/kubernetes/issues/131009"
      },
      {
        "category": "external",
        "summary": "PoC auf GitHub vom 2025-03-24",
        "url": "https://github.com/sandumjacob/IngressNightmare-POCs"
      },
      {
        "category": "external",
        "summary": "Google Cloud Bulletin vom 2025-03-24",
        "url": "https://cloud.google.com/support/bulletins#gcp-2025-013"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2025-03-24",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-1097"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2025-03-24",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-1098"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2025-03-24",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-1974"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2025-03-24",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24513"
      },
      {
        "category": "external",
        "summary": "Microsoft Security Update Guide vom 2025-03-24",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24514"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:14942-1 vom 2025-03-29",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/X6IUJL64VPCXGTRC6RXEW2YR7XTLPL4D/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:14941-1 vom 2025-03-29",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3DNSWPPJ33REJ6VBO2MSSYJ6XO7XRUJ6/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:14944-1 vom 2025-03-29",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/AXAWKVFNQBIDWTRIHH256LGS2N6R6BOG/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:14943-1 vom 2025-03-29",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RYTI7EKR4C7WUKDN6XNAEP7DQZI2ADOI/"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7229787 vom 2025-04-01",
        "url": "https://www.ibm.com/support/pages/node/7229787"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15083-1 vom 2025-05-13",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KQS4AI4IUYK2KCIUCXDYZUBJ5XSJNQJA/"
      }
    ],
    "source_lang": "en-US",
    "title": "Ingress NGINX Controller f\u00fcr Kubernetes: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-05-13T22:00:00.000+00:00",
      "generator": {
        "date": "2025-05-14T07:08:50.391+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0629",
      "initial_release_date": "2025-03-24T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-03-24T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-03-25T23:00:00.000+00:00",
          "number": "2",
          "summary": "Produktbeschreibung erg\u00e4nzt"
        },
        {
          "date": "2025-03-27T23:00:00.000+00:00",
          "number": "3",
          "summary": "Referenz(en) aufgenommen: AWS-2025-006"
        },
        {
          "date": "2025-03-30T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2025-04-01T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-05-13T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von openSUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM InfoSphere Information Server",
            "product": {
              "name": "IBM InfoSphere Information Server",
              "product_id": "T035705",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:infosphere_information_server:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Ingress NGINX Controller \u003c1.12.1",
                "product": {
                  "name": "Open Source Kubernetes Ingress NGINX Controller \u003c1.12.1",
                  "product_id": "T042127"
                }
              },
              {
                "category": "product_version",
                "name": "Ingress NGINX Controller 1.12.1",
                "product": {
                  "name": "Open Source Kubernetes Ingress NGINX Controller 1.12.1",
                  "product_id": "T042127-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:kubernetes:kubernetes:ingress_nginx_controller__1.12.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Ingress NGINX Controller \u003c1.11.5",
                "product": {
                  "name": "Open Source Kubernetes Ingress NGINX Controller \u003c1.11.5",
                  "product_id": "T042128"
                }
              },
              {
                "category": "product_version",
                "name": "Ingress NGINX Controller 1.11.5",
                "product": {
                  "name": "Open Source Kubernetes Ingress NGINX Controller 1.11.5",
                  "product_id": "T042128-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:kubernetes:kubernetes:ingress_nginx_controller__1.11.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Kubernetes"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-1097",
      "product_status": {
        "known_affected": [
          "T042127",
          "T035705",
          "T042128",
          "T027843"
        ]
      },
      "release_date": "2025-03-24T23:00:00.000+00:00",
      "title": "CVE-2025-1097"
    },
    {
      "cve": "CVE-2025-1098",
      "product_status": {
        "known_affected": [
          "T042127",
          "T035705",
          "T042128",
          "T027843"
        ]
      },
      "release_date": "2025-03-24T23:00:00.000+00:00",
      "title": "CVE-2025-1098"
    },
    {
      "cve": "CVE-2025-1974",
      "product_status": {
        "known_affected": [
          "T042127",
          "T035705",
          "T042128",
          "T027843"
        ]
      },
      "release_date": "2025-03-24T23:00:00.000+00:00",
      "title": "CVE-2025-1974"
    },
    {
      "cve": "CVE-2025-24513",
      "product_status": {
        "known_affected": [
          "T042127",
          "T035705",
          "T042128",
          "T027843"
        ]
      },
      "release_date": "2025-03-24T23:00:00.000+00:00",
      "title": "CVE-2025-24513"
    },
    {
      "cve": "CVE-2025-24514",
      "product_status": {
        "known_affected": [
          "T042127",
          "T035705",
          "T042128",
          "T027843"
        ]
      },
      "release_date": "2025-03-24T23:00:00.000+00:00",
      "title": "CVE-2025-24514"
    }
  ]
}

CVE-2025-1097 (GCVE-0-2025-1097)

Vulnerability from cvelistv5 – Published: 2025-03-24 23:29 – Updated: 2025-11-03 20:57

Summary

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-20 - Improper Input Validation

Assigner

kubernetes

References

URL

Tags

https://github.com/kubernetes/kubernetes/issues/131007

Impacted products

	Vendor	Product	Version
	kubernetes	ingress-nginx	Affected: 0 , ≤ 1.11.4 (semver) Affected: 1.12.0

Credits

Nir Ohfeld Ronen Shustin Sagi Tzadik Hillai Ben Sasson

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1097",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T03:55:13.954Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:57:02.247Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250328-0008/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ingress-nginx",
          "repo": "https://github.com/kubernetes/ingress-nginx",
          "vendor": "kubernetes",
          "versions": [
            {
              "lessThanOrEqual": "1.11.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "1.12.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nir Ohfeld"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ronen Shustin"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Sagi Tzadik"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Hillai Ben Sasson"
        }
      ],
      "datePublic": "2025-03-24T19:36:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A security issue was discovered in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/kubernetes/ingress-nginx\"\u003eingress-nginx\u003c/a\u003e where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"
            }
          ],
          "value": "A security issue was discovered in  ingress-nginx https://github.com/kubernetes/ingress-nginx  where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-137",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-137 Parameter Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-24T23:29:05.879Z",
        "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "shortName": "kubernetes"
      },
      "references": [
        {
          "url": "https://github.com/kubernetes/kubernetes/issues/131007"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ingress-nginx controller - configuration injection via unsanitized auth-tls-match-cn annotation",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
    "assignerShortName": "kubernetes",
    "cveId": "CVE-2025-1097",
    "datePublished": "2025-03-24T23:29:05.879Z",
    "dateReserved": "2025-02-07T00:11:49.551Z",
    "dateUpdated": "2025-11-03T20:57:02.247Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24514 (GCVE-0-2025-24514)

Vulnerability from cvelistv5 – Published: 2025-03-24 23:29 – Updated: 2025-11-03 21:12

Summary

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-20 - Improper Input Validation

Assigner

kubernetes

References

URL

Tags

https://github.com/kubernetes/kubernetes/issues/131006

Impacted products

	Vendor	Product	Version
	kubernetes	ingress-nginx	Affected: 0 , ≤ 1.11.4 (semver) Affected: 1.12.0

Credits

Nir Ohfeld Ronen Shustin Sagi Tzadik

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24514",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T03:55:17.986Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:12:44.789Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250328-0008/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ingress-nginx",
          "repo": "https://github.com/kubernetes/ingress-nginx",
          "vendor": "kubernetes",
          "versions": [
            {
              "lessThanOrEqual": "1.11.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "1.12.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nir Ohfeld"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ronen Shustin"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Sagi Tzadik"
        }
      ],
      "datePublic": "2025-03-24T19:36:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A security issue was discovered in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/kubernetes/ingress-nginx\"\u003eingress-nginx\u003c/a\u003e where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"
            }
          ],
          "value": "A security issue was discovered in  ingress-nginx https://github.com/kubernetes/ingress-nginx  where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-137",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-137 Parameter Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-24T23:29:36.802Z",
        "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "shortName": "kubernetes"
      },
      "references": [
        {
          "url": "https://github.com/kubernetes/kubernetes/issues/131006"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ingress-nginx controller - configuration injection via unsanitized auth-url annotation",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
    "assignerShortName": "kubernetes",
    "cveId": "CVE-2025-24514",
    "datePublished": "2025-03-24T23:29:36.802Z",
    "dateReserved": "2025-01-23T00:50:17.929Z",
    "dateUpdated": "2025-11-03T21:12:44.789Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-24513 (GCVE-0-2025-24513)

Vulnerability from cvelistv5 – Published: 2025-03-24 23:29 – Updated: 2025-11-03 21:12

Summary

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE

CWE-20 - Improper Input Validation

Assigner

kubernetes

References

URL

Tags

https://github.com/kubernetes/kubernetes/issues/131005

Impacted products

	Vendor	Product	Version
	kubernetes	ingress-nginx	Affected: 0 , ≤ 1.11.4 (semver) Affected: 1.12.0

Credits

Nir Ohfeld Ronen Shustin

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24513",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-25T13:39:36.149148Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-25T13:39:50.057Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:12:43.390Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250328-0008/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ingress-nginx",
          "repo": "https://github.com/kubernetes/ingress-nginx",
          "vendor": "kubernetes",
          "versions": [
            {
              "lessThanOrEqual": "1.11.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "1.12.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nir Ohfeld"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ronen Shustin"
        }
      ],
      "datePublic": "2025-03-24T19:36:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A security issue was discovered in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/kubernetes/ingress-nginx\"\u003eingress-nginx\u003c/a\u003e where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster."
            }
          ],
          "value": "A security issue was discovered in  ingress-nginx https://github.com/kubernetes/ingress-nginx  where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-24T23:29:25.215Z",
        "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "shortName": "kubernetes"
      },
      "references": [
        {
          "url": "https://github.com/kubernetes/kubernetes/issues/131005"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ingress-nginx controller - auth secret file path traversal vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
    "assignerShortName": "kubernetes",
    "cveId": "CVE-2025-24513",
    "datePublished": "2025-03-24T23:29:25.215Z",
    "dateReserved": "2025-01-23T00:50:17.928Z",
    "dateUpdated": "2025-11-03T21:12:43.390Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-1974 (GCVE-0-2025-1974)

Vulnerability from cvelistv5 – Published: 2025-03-24 23:28 – Updated: 2025-11-10 17:23

Summary

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-653 - Improper Isolation or Compartmentalization

Assigner

kubernetes

References

URL

Tags

https://https://github.com/kubernetes/kubernetes/…

Impacted products

	Vendor	Product	Version
	kubernetes	ingress-nginx	Affected: 0 , ≤ 1.11.4 (semver) Affected: 1.12.0

Credits

Nir Ohfeld Ronen Shustin Sagi Tzadik Hillai Ben Sasson

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1974",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T03:55:19.309Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-10T17:23:37.058Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250328-0008/"
          },
          {
            "url": "https://github.com/B1ack4sh/Blackash-CVE-2025-1974"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Validating Admission Controller"
          ],
          "product": "ingress-nginx",
          "repo": "https://github.com/kubernetes/ingress-nginx",
          "vendor": "kubernetes",
          "versions": [
            {
              "lessThanOrEqual": "1.11.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "1.12.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nir Ohfeld"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ronen Shustin"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Sagi Tzadik"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Hillai Ben Sasson"
        }
      ],
      "datePublic": "2025-03-24T19:36:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"
            }
          ],
          "value": "A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-251",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-251 Local Code Inclusion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-653",
              "description": "CWE-653 Improper Isolation or Compartmentalization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-24T23:28:48.985Z",
        "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "shortName": "kubernetes"
      },
      "references": [
        {
          "url": "https://https://github.com/kubernetes/kubernetes/issues/131009"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ingress-nginx admission controller RCE escalation",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Before applying the patch, this issue can be mitigated by disabling the Validating Admission Controller functionality of ingress-nginx."
            }
          ],
          "value": "Before applying the patch, this issue can be mitigated by disabling the Validating Admission Controller functionality of ingress-nginx."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
    "assignerShortName": "kubernetes",
    "cveId": "CVE-2025-1974",
    "datePublished": "2025-03-24T23:28:48.985Z",
    "dateReserved": "2025-03-04T21:34:07.543Z",
    "dateUpdated": "2025-11-10T17:23:37.058Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-1098 (GCVE-0-2025-1098)

Vulnerability from cvelistv5 – Published: 2025-03-24 23:29 – Updated: 2025-11-03 20:57

Summary

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-20 - Improper Input Validation

Assigner

kubernetes

References

URL

Tags

https://github.com/kubernetes/kubernetes/issues/131008

Impacted products

	Vendor	Product	Version
	kubernetes	ingress-nginx	Affected: 0 , ≤ 1.11.4 (semver) Affected: 1.12.0

Credits

Nir Ohfeld Ronen Shustin Sagi Tzadik Hillai Ben Sasson

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1098",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T03:55:16.707Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:57:03.818Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250328-0008/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ingress-nginx",
          "repo": "https://github.com/kubernetes/ingress-nginx",
          "vendor": "kubernetes",
          "versions": [
            {
              "lessThanOrEqual": "1.11.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "1.12.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nir Ohfeld"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ronen Shustin"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Sagi Tzadik"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Hillai Ben Sasson"
        }
      ],
      "datePublic": "2025-03-24T19:36:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A security issue was discovered in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/kubernetes/ingress-nginx\"\u003eingress-nginx\u003c/a\u003e where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"
            }
          ],
          "value": "A security issue was discovered in  ingress-nginx https://github.com/kubernetes/ingress-nginx  where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-137",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-137 Parameter Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-24T23:29:15.610Z",
        "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "shortName": "kubernetes"
      },
      "references": [
        {
          "url": "https://github.com/kubernetes/kubernetes/issues/131008"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ingress-nginx controller - configuration injection via unsanitized mirror annotations",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
    "assignerShortName": "kubernetes",
    "cveId": "CVE-2025-1098",
    "datePublished": "2025-03-24T23:29:15.610Z",
    "dateReserved": "2025-02-07T00:11:53.927Z",
    "dateUpdated": "2025-11-03T20:57:03.818Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-0629

CVE-2025-1097 (GCVE-0-2025-1097)

CVE-2025-24514 (GCVE-0-2025-24514)

CVE-2025-24513 (GCVE-0-2025-24513)

CVE-2025-1974 (GCVE-0-2025-1974)

CVE-2025-1098 (GCVE-0-2025-1098)

Tags

Sightings

Nomenclature