CVE-2021-25742

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
kubernetesCNA
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
kubernetesingress-nginx
𝑥
< 0.49.1
kubernetesingress-nginx
1.0.0
netapptrident
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/kubernetes/ingress-nginx/issues/7837
https://groups.google.com/g/kubernetes-security-announce/c/mT4JJxi9tQY
https://security.netapp.com/advisory/ntap-20211203-0001/
https://github.com/kubernetes/ingress-nginx/issues/7837
https://groups.google.com/g/kubernetes-security-announce/c/mT4JJxi9tQY
https://security.netapp.com/advisory/ntap-20211203-0001/