Notice of the NGINX Ingress Controller Vulnerability That Allows Attackers to Bypass Annotation Validation (CVE-2024-7646)
Vulnerability Details
|
Type |
CVE-ID |
Severity |
Discovered |
|---|---|---|---|
|
Validation bypass and command injection |
Critical |
2024-08-19 |
Impact
Attackers with permissions to create ingresses in Kubernetes clusters (in networking.k8s.io or extensions API group) can exploit a vulnerability in ingress-nginx earlier than v1.11.2. This allows them to bypass annotation validation and inject arbitrary commands, potentially gaining access to the credentials of the ingress-nginx controller and sensitive information in a cluster.
This vulnerability is involved when the NGINX Ingress Controller add-on earlier than v2.4.14 is installed in a CCE Autopilot cluster.
Identification Method
- Use kubectl to search for pods related to cceaddon-nginx-ingress.
kubectl get po -A | grep cceaddon-nginx-ingress
If similar information is displayed, the NGINX Ingress Controller add-on has been installed in the cluster.
- Check the nginx-ingress image version used by the NGINX Ingress Controller add-on.
kubectl get deploy cceaddon-nginx-ingress-controller -nkube-system -oyaml|grep -w image
If the installed NGINX Ingress Controller add-on has an nginx-ingress version earlier than v1.11.2, this vulnerability is present.
Solution
This vulnerability has been fixed for the NGINX Ingress Controller add-on in the CCE Autopilot cluster. Upgrade the add-on to the version where the vulnerability has been fixed.
Fixed add-on version: v2.4.14 or later
Helpful Links
Fixed version released by the community: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.2
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
