【Vulnerability Alert】Multiple Critical Security Vulnerabilities in Kubernetes ingress-nginx
publish date :
2025-03-26
update date :
2025-03-26
Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2025032609031515 | Publication Time | 2025/03/26 09:29 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/03/26 09:20 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】Multiple Critical Security Vulnerabilities in Kubernetes ingress-nginx |
|||
| [Content] Forwarded from TWCERTCC-200-202503-00000012 Kubernetes (K8s) is a system designed by Google for automating deployment, scaling, and management of containerized applications. It allows containers to run and be managed in a clustered environment, achieving high-efficiency deployment. Recently, four critical security vulnerabilities have been disclosed in Kubernetes ingress-nginx. [CVE-2025-24514, CVSS: 8.8] This vulnerability allows the annotation of auth-url to be injected into nginx, potentially leading to arbitrary code execution within the ingress-nginx controller context and leaking data accessed by the controller. [CVE-2025-1097, CVSS: 8.8] This vulnerability allows the annotation of auth-tls-match-cn to be injected into nginx, potentially leading to arbitrary code execution within the ingress-nginx controller context and leaking data accessed by the controller. [CVE-2025-1098, CVSS: 8.8] This vulnerability allows the annotations of mirror-target and mirror-host to be injected into nginx, potentially leading to arbitrary code execution within the ingress-nginx controller context and leaking data accessed by the controller. [CVE-2025-1974, CVSS: 9.8] This vulnerability allows an unauthenticated attacker to access the Pod network and execute arbitrary code within the ingress-nginx controller context, potentially leading to data leakage from the controller. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] ● Kubernetes ingress-nginx versions earlier than 1.11.0 ● Kubernetes ingress-nginx versions 1.11.0 - 1.11.4 ● Kubernetes ingress-nginx version 1.12.0 |
|||
| [Recommended Actions] Update to the following versions: ● Kubernetes ingress-nginx 1.11.5 ● Kubernetes ingress-nginx 1.12.1 |
|||
| [Reference] 1. https://www.twcert.org.tw/tw/cp-169-10026-1ab72-1.html |
|||
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer:
Computer Center
