Skip to content

x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-863x-868h-968x #1789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue May 24, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-863x-868h-968x #1789

GoVulnBot opened this issue May 24, 2023 · 2 comments
Assignees
@maceonthompson
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-863x-868h-968x, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
k8s.io/ingress-nginx 1.2.1 < 1.2.1

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: k8s.io/ingress-nginx
    versions:
      - fixed: 1.2.1
    packages:
      - package: k8s.io/ingress-nginx
summary: Ingress-nginx `path` sanitization can be bypassed with newline character
description: A security issue was discovered in ingress-nginx where a user that can
    create or update ingress objects can use a newline character to bypass the sanitization
    of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io`
    or `extensions` API group) to obtain the credentials of the ingress-nginx controller.
    In the default configuration, that credential has access to all secrets in the
    cluster.
cves:
  - CVE-2021-25748
ghsas:
  - GHSA-863x-868h-968x
references:
  - web: https://nvd.nist.gov/vuln/detail/CVE-2021-25748
  - report: https://github.com/kubernetes/ingress-nginx/issues/8686
  - web: https://groups.google.com/g/kubernetes-security-announce/c/avaRYa9c7I8
  - fix: https://github.com/kubernetes/ingress-nginx/pull/8623
  - web: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.2.1
  - advisory: https://github.com/advisories/GHSA-863x-868h-968x
@maceonthompson maceonthompson self-assigned this May 25, 2023
@maceonthompson maceonthompson added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label May 25, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/498277 mentions this issue: data/excluded: batch add GO-2023-1785, GO-2023-1789, GO-2023-1787

This was referenced Jul 13, 2023
Closed
Closed
This was referenced Nov 3, 2023
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Jan 2, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

This was referenced Mar 25, 2025
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maceonthompson maceonthompson

Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @maceonthompson @GoVulnBot