Learn how CVE-2024-7646 allows attackers to bypass ingress-nginx validation and compromise Kubernetes clusters, and how to secure your systems

Armo provides a cloud security platform, focusing on Kubernetes security through its open-source tool, Kubescape. The platform offers runtime-driven security posture management, behavioral-based cloud detection and response, and runtime-based vulnerability management.

Armo

A significant vulnerability, CVE-2024-7646, affecting the ingress-nginx controller in Kubernetes has been identified, allowing attackers to bypass annotation validation and potentially access sensitive cluster resources. This vulnerability has a high CVSS v3.1 score of 8.8. Affected versions are all versions prior to v1.11.2. Exploiting this flaw requires specific RBAC permissions. Immediate actions include upgrading ingress-nginx to v1.11.2 or later, auditing existing Ingress objects, implementing strict RBAC, enabling Kubernetes audit logging, and using admission controllers for stricter validation.

CVE-2024-7646: Ingress-Nginx Annotation Validation Bypass