K01051452 : NGINX Ingress Controller vulnerability CVE-2021-23055

2021-11-1000:00:00

my.f5.com

103

0.001 Low

EPSS

Percentile

28.6%

JSON

Security Advisory Description

The command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. (CVE-2021-23055)

Impact

An attacker with privileges to deploy Ingress resources can inject configuration snippets that may allow them to gain access to secrets using the Ingress service account permissions.

In NGINX Ingress Controller versions prior to 2.0.3 and 1.12.3, Ingress resources can be configured without setting the** -enable-snippets** command line argument.

Beginning in NGINX Ingress Controller versions 2.0.3 and 1.12.3, snippet notations are handled only when the snippets capability is explicitly enabled by the Ingress operator using the** -enable-snippets** command line argument.

For more information about using snippets in your NGINX configuration, refer to Advanced Configuration with Snippets.

CPENameOperatorVersion
f5 ssl orchestratoreq14.1.0
f5 ssl orchestratoreq14.1.2
f5 ssl orchestratoreq14.1.4
f5 ssl orchestratoreq15.1.0
f5 ssl orchestratoreq15.1.1
f5 ssl orchestratoreq16.1.0
big-ip afmeq11.6.1
big-ip afmeq11.6.2
big-ip afmeq11.6.3
big-ip afmeq11.6.4

Name	Operator	Version
f5 ssl orchestrator	eq	14.1.0
f5 ssl orchestrator	eq	14.1.2
f5 ssl orchestrator	eq	14.1.4
f5 ssl orchestrator	eq	15.1.0
f5 ssl orchestrator	eq	15.1.1
f5 ssl orchestrator	eq	16.1.0
big-ip afm	eq	11.6.1
big-ip afm	eq	11.6.2
big-ip afm	eq	11.6.3
big-ip afm	eq	11.6.4

Rows per page:

1-10 of 4041

0.001 Low

EPSS

Percentile

28.6%

JSON

Related for F5:K01051452