Vulnerability CVE-2021-25742 was recently disclosed by Kubernetes. This vulnerability is related to the ingress-nginx component. This vulnerability can be exploited by attackers to use the custom snippets feature to create or modify Ingresses and obtain all Secrets in a cluster. This topic describes the impacts, affected ingress-nginx versions, and fixes for this vulnerability.

CVE-2021-25742 is rated as high severity and its Common Vulnerability Scoring System (CVSS) score is 7.6.

Affected ingress-nginx versions

The following ingress-nginx versions are affected:
  • v1.0.0
  • ingress-nginx 0.49.0 and earlier
This vulnerability is fixed in the following ingress-nginx versions:
  • v1.0.1
  • v0.49.1

For more information about this vulnerability, see CVE-2021-25742.

Impacts

If the permissions to create and modify Ingresses are granted to a non-administrator user in a multi-tenant cluster, the user can use the custom snippets feature to obtain all Secrets in the cluster. This may cause unauthorized access to other tenants or secret information in the cluster.

Mitigation

Run the following command to modify the nginx-configuration ConfigMap in the kube-system namespace:

kubectl edit configmap -nkube-system nginx-configuration

Set allow-snippet-annotations to false:

data:
  allow-snippet-annotations: "false"