Aurelia Schittler

**Name of the Vulnerable Software and Affected Versions** ingress-nginx versions prior to 1.11.4 ingress-nginx versions prior to 1.12.1 **Description** A security issue exists in ingress-nginx where the protection provided by the `auth-url` Ingress annotation may not function as expected due to a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and the configured default custom-errors backend is defective and does not respect the X-Code HTTP header, an Ingress with the `auth-url` annotation may be accessible even when authentication fails. The issue arises from improper trust in HTTP responses from an external custom error backend. Attackers can target ingress resources using `auth-url` and `custom-http-errors`, exploiting misbehaving external error backends that ignore the X-Code headers to bypass authentication controls. The vulnerable component is the interaction between ingress-nginx and external custom error backends. The **API Endpoint** involved is the ingress resource configured with `auth-url`. The vulnerable parameter is the `X-Code` HTTP header. **Recommendations** Upgrade to ingress-nginx version 1.11.4 or later. Upgrade to ingress-nginx version 1.12.1 or later. Audit Ingress objects using both `auth-url` and `custom-http-errors` annotations. Replace external error backends or fix X-Code header handling. Monitor ingress-nginx logs for HTTP 200 responses with `auth response status=401/403`.