[kubernetes] CVE-2022-4886: Ingress-nginx `path` sanitization can be bypassed with `log_format` directive

[kubernetes] CVE-2022-4886: Ingress-nginx `path` sanitization can be bypassed with `log_format` directive

Open Source Security 

Posted by CJ Cullen on Oct 25

Issue Details

A security issue was discovered in ingress-nginx
<https://github.com/kubernetes/ingress-nginx> where a user that can create
or update ingress objects can use directives to bypass the sanitization of
the `spec.rules[].http.paths[].path` field of an Ingress object (in the `
networking.k8s.io` or `extensions` API group) to obtain the credentials of
the ingress-nginx controller. In the default configuration, that credential
has…
 Read More 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert