CVE-2021-25745 log
| Source |
|
| Severity | High |
| Remote | Yes |
| Type | Information disclosure |
| Description | a user that can create or update ingress objects can use the `spec.rules[].http.paths[].path` field of an Ingress object (in the networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that redential has access to all secrets in the cluster. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-2690 | kubectl-ingress-nginx | 1.1.3-1 | 1.2.0-1 | High | Vulnerable |
| References |
|---|
https://github.com/kubernetes/ingress-nginx/issues/8502 |