ingress-nginx Auth-URL Protection Bypass Vulnerability

A vulnerability exists in ingress-nginx versions prior to 1.13.7 and 1.14.3, allowing bypass of the 'auth-url' Ingress annotation under certain misconfigurations. If the ingress-nginx controller uses a default custom-errors setting that includes HTTP errors 401 or 403, and the custom-errors backend does not properly handle the X-Code HTTP header, Ingresses with the 'auth-url' annotation may be accessible even when authentication fails. This issue requires manual configuration of a faulty external component, as the built-in custom-errors backend functions correctly.

Impact

Exploitation of this vulnerability allows unauthorized access to Ingresses protected by the 'auth-url' annotation, despite failed authentication, potentially leading to unauthorized actions or data exposure.

Remediation

To address this vulnerability, users should upgrade ingress-nginx to version 1.13.7, 1.14.3, or any later version. If an immediate upgrade is not possible, verify that the custom-errors backend correctly respects the X-Code HTTP header.