C-0059 - CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability
Framework
MITRE, ArmoBest, NSA, AllControls
Severity
High
Description of the the issue
Security issue in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (see more at https://github.com/kubernetes/ingress-nginx/issues/7837)
Related resources
ConfigMap, Deployment
What does this control test
The control checks if the nginx-ingress-controller contains the ability to disable allowSnippetAnnotations and that indeed this feature is turned off
Remediation
To mitigate this vulnerability: 1. Upgrade to a version that allows mitigation (>= v0.49.1 or >= v1.0.1), 2. Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx
Example
No example
Updated 11 days ago