CVE-2024-7646

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to 1.12

Description A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. The vulnerability allows an attacker to inject malicious content into certain annotations, bypassing the intended validation checks, which can lead to arbitrary command injection and potential access to the cluster's secrets.

Recommendations For versions prior to 1.12, update to version 1.12 or later to resolve the issue. As a temporary workaround, consider restricting the use of certain annotations in Ingress resources to minimize the risk of exploitation.