In the ingress-nginx controller developed by the Kubernetes project, three vulnerabilities have been identified that allow, in the default configuration, access to the settings of the Ingress object, which, among other things, stores credentials for accessing Kubernetes servers, allowing privileged access to the cluster. The problems only appear in the ingress-nginx controller from the Kubernetes project and do not affect the kubernetes-ingress controller developed by the NGINX developers.
The ingress controller acts as a gateway and is used in Kubernetes to organize access from the external network to services within the cluster. The ingress-nginx controller is the most popular and uses the NGINX server to forward requests to the cluster, route external requests, and load balance. The Kubernetes project provides core ingress controllers for AWS, GCE, and nginx, the latter of which is in no way related to the kubernetes-ingress controller maintained by F5/NGINX.
Vulnerabilities CVE-2023-5043 and CVE-2023-5044 allow you to execute your code on the server with the rights of the ingress controller process, using the “nginx.ingress.kubernetes.io/configuration-snippet” and “nginx.ingress.kubernetes” parameters to substitute it .io/permanent-redirect." Among other things, the obtained access rights allow you to retrieve a token used for authentication at the cluster management level. Vulnerability CVE-2022-4886 allows you to bypass file path verification using the log_format directive.
The first two vulnerabilities appear only in ingress-nginx releases before version 1.9.0, and the last one - before version 1.8.0. To carry out an attack, an attacker must have access to the configuration of the ingress object, for example, in multi-tenant Kubernetes clusters, in which users are given the ability to create objects in their namespace.
Source: opennet.ru