Vulnerability CVE-2021-25742 was recently disclosed by Kubernetes. This vulnerability is related to the ingress-nginx component. This vulnerability can be exploited by attackers to use the custom snippets feature to create or modify Ingresses and obtain all Secrets in a cluster. This topic describes the impacts, affected ingress-nginx versions, and fixes for this vulnerability.
CVE-2021-25742 is rated as high severity and its Common Vulnerability Scoring System (CVSS) score is 7.6.
Affected ingress-nginx versions
- v1.0.0
- ingress-nginx 0.49.0 and earlier
- v1.0.1
- v0.49.1
For more information about this vulnerability, see CVE-2021-25742.
Impacts
If the permissions to create and modify Ingresses are granted to a non-administrator user in a multi-tenant cluster, the user can use the custom snippets feature to obtain all Secrets in the cluster. This may cause unauthorized access to other tenants or secret information in the cluster.
Mitigation
Run the following command to modify the nginx-configuration ConfigMap in the kube-system namespace:
kubectl edit configmap -nkube-system nginx-configuration
Set allow-snippet-annotations
to false
:
data:
allow-snippet-annotations: "false"