Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes

Oct 30, 2023 08:00 am Cyber Security 147
Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes

Oct 30, 2023NewsroomKubernetes / Server Security




Three unpatched high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster.


The vulnerabilities are as follows -


  • CVE-2022-4886 (CVSS score: 8.8) - Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller

  • CVE-2023-5043 (CVSS score: 7.6) - Ingress-nginx annotation injection causes arbitrary command execution

  • CVE-2023-5044 (CVSS score: 7.6) - Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation

    • "These vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster," Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, said of CVE-2023-5043 and CVE-2023-5044.


    Successful exploitation of the flaws could allow an adversary to inject arbitrary code into the ingress controller process, and gain unauthorized access to sensitive data.



    urgent security flaws discovered nginx ingress controller kubernetes
    Read The Rest from the original source
    thehackernews.com

    Related News

    Be in Touch

    All Rights Reserved #1 Source for Cyber Security News, Reports and Threat Intelligence
    Powered By The Internet!!!!