CVE-2023-5043

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to 1.9.0

Description A security issue in ingress-nginx allows for arbitrary command execution due to annotation injection. This can be exploited by a remote attacker to execute arbitrary code or elevate privileges. The issue is related to errors in processing input data in the nginx.ingress.kubernetes.io/configuration-snippet controller. In multi-tenant environments where non-admin users have permissions to create Ingress objects, the impact is more significant. The estimated number of potentially affected devices is not provided.

Recommendations For versions prior to 1.9.0, set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields. As a temporary workaround, consider restricting access to the nginx.ingress.kubernetes.io/configuration-snippet annotation to minimize the risk of exploitation. Update to version 1.9.0 or later to fully resolve the issue.