ingress-nginx Controller Auth-URL Annotation Vulnerability Leading to Code Execution and Secret Disclosure

A vulnerability exists in ingress-nginx versions prior to 1.11.0, as well as in versions 1.11.0 through 1.11.4 and 1.12.0. The issue arises from the 'auth-url' Ingress annotation, which can be exploited to inject configuration into nginx. This injection could result in arbitrary code execution within the ingress-nginx controller and allow unauthorized access to Secrets that the controller can access cluster-wide. Ingress-nginx installations not using the 'enable-annotation-validation' CLI argument are vulnerable.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution in the context of the ingress-nginx controller and unauthorized disclosure of cluster-wide Secrets accessible to the controller.

Remediation

To address this vulnerability, users should upgrade ingress-nginx to version 1.11.5, 1.12.1, or any later version. If an immediate upgrade is not possible, the vulnerability can be temporarily mitigated by setting the 'enable-annotation-validation' CLI argument to 'true'.