ingress-nginx Nginx Configuration Injection Vulnerability Allowing Code Execution and Secret Disclosure

A vulnerability exists in ingress-nginx versions prior to 1.13.7 and 1.14.3, where the 'rules.http.paths.path' Ingress field can inject configuration into Nginx. This injection could lead to arbitrary code execution within the context of the ingress-nginx controller and allow the disclosure of Secrets that the controller can access. By default, the controller has access to all Secrets across the cluster.

Impact

Exploitation of this vulnerability could result in unauthorized code execution in the ingress-nginx controller's context and the unintentional exposure of cluster-wide Secrets to the controller.

Remediation

Users can upgrade ingress-nginx to version 1.13.7, 1.14.3, or any later version. For instructions on how to upgrade, refer to the 'Upgrading Ingress-nginx' documentation. If an immediate upgrade is not possible, this vulnerability can be temporarily mitigated by using a validating admission controller to reject Ingress resources that have the 'ImplementationSpecific' path type.