A significant vulnerability, CVE-2024-7646, affecting the ingress-nginx controller in Kubernetes has been identified, allowing attackers to bypass annotation validation and potentially access sensitive cluster resources. This vulnerability has a high CVSS v3.1 score of 8.8. Affected versions are all versions prior to v1.11.2. Exploiting this flaw requires specific RBAC permissions. Immediate actions include upgrading ingress-nginx to v1.11.2 or later, auditing existing Ingress objects, implementing strict RBAC, enabling Kubernetes audit logging, and using admission controllers for stricter validation.
Table of contents
IntroductionUnderstanding the vulnerabilityWho is vulnerable?Exploitation exampleRequired privileges for exploitationDetection and mitigationSteps to patch and secureConclusionSort: