CVE-2021-25745 - OpenCVE

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Kubernetes	Ingress-nginx

Configuration 1 [-]

cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/kubernetes/ingress-nginx/issues/8502	Issue Tracking Mitigation Third Party Advisory
https://groups.google.com/g/kubernetes-security-announce/c/7vQrpDZeBlc	Issue Tracking Mailing List Mitigation Third Party Advisory
https://security.netapp.com/advisory/ntap-20220609-0006/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: kubernetes

Published: 2022-04-22T00:00:00

Updated: 2022-06-09T18:06:16

Reserved: 2021-01-21T00:00:00

Link: CVE-2021-25745

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-06T01:15:09.047

Modified: 2022-12-02T22:41:53.333

Link: CVE-2021-25745

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "Kubernetes ingress-nginx", "vendor": "Kubernetes", "versions": [{"lessThan": "1.2.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Gafnit Amiga"}], "datePublic": "2022-04-22T00:00:00", "descriptions": [{"lang": "en", "value": "A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-09T18:06:16", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/7vQrpDZeBlc"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/kubernetes/ingress-nginx/issues/8502"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220609-0006/"}], "source": {"defect": ["https://github.com/kubernetes/ingress-nginx/issues/8502"], "discovery": "EXTERNAL"}, "title": "Ingress-nginx path can be pointed to service account token file", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2022-04-22T16:30:00.000Z", "ID": "CVE-2021-25745", "STATE": "PUBLIC", "TITLE": "Ingress-nginx path can be pointed to service account token file"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes ingress-nginx", "version": {"version_data": [{"version_affected": "<", "version_value": "1.2.0"}]}}]}, "vendor_name": "Kubernetes"}]}}, "credit": [{"lang": "eng", "value": "Gafnit Amiga"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://groups.google.com/g/kubernetes-security-announce/c/7vQrpDZeBlc", "refsource": "MISC", "url": "https://groups.google.com/g/kubernetes-security-announce/c/7vQrpDZeBlc"}, {"name": "https://github.com/kubernetes/ingress-nginx/issues/8502", "refsource": "MISC", "url": "https://github.com/kubernetes/ingress-nginx/issues/8502"}, {"name": "https://security.netapp.com/advisory/ntap-20220609-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220609-0006/"}]}, "source": {"defect": ["https://github.com/kubernetes/ingress-nginx/issues/8502"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2021-25745", "datePublished": "2022-04-22T00:00:00", "dateReserved": "2021-01-21T00:00:00", "dateUpdated": "2022-06-09T18:06:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DD01B7D-743B-41AF-9D8F-D8C6038E6BD0", "versionEndExcluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster."}, {"lang": "es", "value": "Se ha detectado un problema de seguridad en ingress-nginx en el que un usuario que puede crear o actualizar objetos ingress puede usar el campo spec.rules[].http.paths[].path de un objeto Ingress (en el grupo networking.k8s.io o extensions API) para obtener las credenciales del controlador ingress-nginx. En la configuraci\u00f3n por defecto, esa credencial presenta acceso a todos los secretos del cl\u00faster"}], "id": "CVE-2021-25745", "lastModified": "2022-12-02T22:41:53.333", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2022-05-06T01:15:09.047", "references": [{"source": "jordan@liggitt.net", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://github.com/kubernetes/ingress-nginx/issues/8502"}, {"source": "jordan@liggitt.net", "tags": ["Issue Tracking", "Mailing List", "Mitigation", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/7vQrpDZeBlc"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220609-0006/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}