Ingress Nginx
CVE-2021-25742
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
AnalysisAI
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-20. A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. Affected products include: Kubernetes Ingress-Nginx, Netapp Trident.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Ingress Nginx
View allCode injection via nginx.ingress.kubernetes.io/permanent-redirect annotation. Rated high severity (CVSS 8.8), this vulne
Ingress nginx annotation injection causes arbitrary command execution. Rated high severity (CVSS 8.8), this vulnerabilit
The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and t
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today