F5 NGINX Ingress Controller
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*
- >= 5.0.0, <= 5.5.1
- >= 4.0.0, <= 4.0.1
- >= 3.6.0, <= 3.7.2
A denial-of-service vulnerability has been identified in NGINX Ingress Controller versions 3.6.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.5.1. When the Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify these resources can cause the Ingress Controller process to terminate. This leads to a persistent crash loop in the control plane, while the malformed resource remains in the cluster. There is no exposure in the data plane; the issue is confined to the control plane.
Exploitation of this vulnerability causes the NGINX Ingress Controller control plane process to terminate and enter a persistent crash loop, disrupting the availability of the controller while the malformed Ingress or TransportServer resource remains in the cluster.
To address this vulnerability, users can upgrade to NGINX Ingress Controller version 5.5.2. If a crash loop is already in progress, the malicious resource can be deleted to restore controller availability.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.