cbcvebase.
CVE-2021-25748
published 2023-05-24

CVE-2021-25748: A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization…

PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.69%
48.3th percentile
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Affected

3 ranges
VendorProductVersion rangeFixed in
k8s.ioingress-nginx>= 0 < 1.2.11.2.1
kubernetesingress-nginx< 1.2.11.2.1
kuberneteskubernetes_ingress-nginx>= unspecified < 1.2.11.2.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.