CVE-2020-8553

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to 0.28.0

Description The issue is related to errors in processing hyperlinks in the ingress-nginx controller in a Kubernetes cluster. This can be exploited by a remote attacker to gain access to create, modify, or delete data. Specifically, a user with the ability to create namespaces and to read and create ingress objects can overwrite the password file of another ingress that uses basic authentication with a hyphenated namespace or secret name.

Recommendations For versions prior to 0.28.0, update to version 0.28.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the nginx.ingress.kubernetes.io/auth-type component to minimize the risk of exploitation. Avoid using hyphenated namespace or secret names in ingress objects that use basic authentication until the issue is resolved.