Описание
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
Отчет
OpenShift Container Platform does not use NGINX for Ingress and is therefore not affected by this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/management-ingress-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift | Not affected |
Показывать по
10
Дополнительная информация
Статус:
Important
Дефект:
CWE-522
https://bugzilla.redhat.com/show_bug.cgi?id=2012036k8s.io/ingress-nginx: Custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces
EPSS
Процентиль: 67%
0.0054
Низкий
7.6 High
CVSS3
Связанные уязвимости
CVSS3: 7.6
nvd
больше 4 лет назад
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
github
больше 3 лет назад
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
EPSS
Процентиль: 67%
0.0054
Низкий
7.6 High
CVSS3