PT-2021-7023 · Nginx · Nginx Ingress Controller
Published
2021-01-06
·
Updated
2023-11-06
·
CVE-2021-23055
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
NGINX Ingress Controller versions 1.x through 1.12.3
NGINX Ingress Controller versions 2.x through 2.0.3
Description
The issue is related to insufficient permission assignment checking for a critical resource in the NGINX Ingress Controller command line handler. This could allow a remote attacker to disclose protected information. The command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects.
Recommendations
For NGINX Ingress Controller versions 1.x through 1.12.3, update to version 1.12.3 or later.
For NGINX Ingress Controller versions 2.x through 2.0.3, update to version 2.0.3 or later.
As a temporary workaround, consider restricting access to Ingress objects until a patch is available.
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nginx Ingress Controller