An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. (CVE-2022-30535)
Impact
This vulnerability may allow an authenticated attacker with network access to NGINX Ingress Controller ingress objects to read confidential data. In the default configuration, the attacker has access to all secrets in the cluster. In a single namespace configuration, the attacker access is limited to the secrets of the namespace. There is no data plane exposure; this is a control plane issue only.