C-0059 - CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability

Framework

ArmoBest, MITRE, NSA, AllControls

Severity

High

Description of the the issue

Security issue in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (see more at https://github.com/kubernetes/ingress-nginx/issues/7837)

Related resources

ConfigMap, Deployment

What does this control test

The control checks if the nginx-ingress-controller contains the ability to disable allowSnippetAnnotations and that indeed this feature is turned off

Remediation

To mitigate this vulnerability: 1. Upgrade to a version that allows mitigation (>= v0.49.1 or >= v1.0.1), 2. Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx

Example

No example