The ingress-nginx vulnerability CVE-2021-25745 is discovered by the Kubernetes community.
Attackers can obtain the credentials of the NGINX Ingress controller by using the
spec.rules[].http.paths[].path field of an Ingress. The credentials can be used to gain access to all Secrets in
the cluster.
CVE-2021-25745 is rated as high severity and its Common Vulnerability Scoring System (CVSS) score is 7.6.
Affected versions
ingress-nginx versions earlier than 1.2.0 are affected by this vulnerability.
This vulnerability is fixed in the following ingress-nginx versions:
- v1.2.0-beta.0
- v1.2.0
For more information about this vulnerability, see #8502.
Impacts
Users that can create or modify Ingresses can use the spec.rules[].http.paths[].path field of an Ingress (in the networking.k8s.io or extensions API group) to obtain the credentials of the NGINX Ingress controller. The credentials
can be used to access the API server of the cluster and gain access to all Secrets
in the cluster.
Mitigation
Solution 1
Use the policy governance feature of Container Service for Kubernetes (ACK) to deploy the ACKCheckNginxPath policy. This allows you to deny Ingress change requests that contain risky configurations. For more information, see Configure and enforce ACK pod security policies and Predefined security policies of ACK.
Solution 2
Remove the permissions to create and modify Ingresses from accounts other than administrators.
Fixes
You can take note of the release notes of the NGINX Ingress controller and update the NGINX Ingress controller at the earliest opportunity. For more information about the release notices of the NGINX Ingress controller, see Nginx Ingress Controller.