Closed
Description
A security issue was discovered in ingress-nginx versions older than v0.28.0. The issue is of medium severity, and upgrading is encouraged to fix the vulnerability.
Am I vulnerable?
The vulnerability exists only if the annotation nginx.ingress.kubernetes.io/auth-type: basic is used.
How do I upgrade?
Follow installation instructions here
Vulnerability Details
A vulnerability has been discovered where a malicious user could create a new Ingress definition resulting in the replacement of the password file. The vulnerability requires that the victim namespace and/or secret use a hyphen in the name.
This scenario requires privileges in the cluster to create and read ingresses and also create secrets.
This issue is filed as CVE-2020-8553.
/close
Metadata
Metadata
Assignees
Labels
Denotes an issue or PR intended to be handled by the product security committee.Categorizes issue or PR as related to a bug.Indicates that an issue or PR should not be auto-closed due to staleness.Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)Indicates an issue or PR is ready to be actively worked on.