Help Center/ Cloud Container Engine_Autopilot/ Product Bulletin/ Vulnerability Notices/ Notice of the NGINX Ingress Controller Vulnerability That Allows Attackers to Bypass Annotation Validation (CVE-2024-7646)
Updated on 2025-03-27 GMT+08:00

Notice of the NGINX Ingress Controller Vulnerability That Allows Attackers to Bypass Annotation Validation (CVE-2024-7646)

Vulnerability Details

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Validation bypass and command injection

CVE-2024-7646

Critical

2024-08-19

Impact

Attackers with permissions to create ingresses in Kubernetes clusters (in networking.k8s.io or extensions API group) can exploit a vulnerability in ingress-nginx earlier than v1.11.2. This allows them to bypass annotation validation and inject arbitrary commands, potentially gaining access to the credentials of the ingress-nginx controller and sensitive information in a cluster.

This vulnerability is involved when the NGINX Ingress Controller add-on earlier than v2.4.14 is installed in a CCE Autopilot cluster.

Identification Method

  1. Use kubectl to search for pods related to cceaddon-nginx-ingress.
    kubectl get po -A | grep cceaddon-nginx-ingress

    If similar information is displayed, the NGINX Ingress Controller add-on has been installed in the cluster.

  2. Check the nginx-ingress image version used by the NGINX Ingress Controller add-on.
    kubectl get deploy cceaddon-nginx-ingress-controller -nkube-system -oyaml|grep -w image

    If the installed NGINX Ingress Controller add-on has an nginx-ingress version earlier than v1.11.2, this vulnerability is present.

Solution

This vulnerability has been fixed for the NGINX Ingress Controller add-on in the CCE Autopilot cluster. Upgrade the add-on to the version where the vulnerability has been fixed.

Fixed add-on version: v2.4.14 or later

Helpful Links

Fixed version released by the community: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.2