CVE-2021-25742

EUVD-2021-12628
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
kubernetesCNA
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
kubernetesingress-nginx
𝑥
< 0.49.1
kubernetesingress-nginx
1.0.0
netapptrident
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/kubernetes/ingress-nginx/issues/7837
https://groups.google.com/g/kubernetes-security-announce/c/mT4JJxi9tQY
https://security.netapp.com/advisory/ntap-20211203-0001/
https://github.com/kubernetes/ingress-nginx/issues/7837
https://groups.google.com/g/kubernetes-security-announce/c/mT4JJxi9tQY
https://security.netapp.com/advisory/ntap-20211203-0001/