HAProxy Kubernetes Ingress Controller Secret Leak Vulnerability

A vulnerability exists in HAProxy Kubernetes Ingress Controller versions prior to 3.1.13, specifically when the config-snippets feature flag is enabled. This issue allows users with permissions to create or update ingress objects to inject custom HAProxy configurations. Exploiting this vulnerability can lead to unauthorized access to sensitive Kubernetes service account tokens, including the ingress controller's token secret. This secret could be used to access data available to the ingress controller, potentially escalating privileges within the Kubernetes cluster.

Impact

Exploitation of this vulnerability allows for unauthorized access to Kubernetes API secrets, specifically service account tokens, from the ingress controller's environment. This could lead to privilege escalation within the Kubernetes cluster, especially in multi-tenant or hosted environments where end-users may be untrusted.

Remediation

Users of HAProxy Kubernetes Ingress Controller should upgrade to version 3.1.13 or, for those using HAProxy Enterprise Kubernetes Ingress Controller, to versions 3.0.16-ee1, 1.11.13-ee1, or 1.9.15-ee1. For users unable to upgrade immediately, the config-snippets feature can be disabled as a temporary workaround.