NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. (CVE-2022-27495)
Impact
An attacker may affect traffic policies, security policies, and other reverse proxy capabilities of NGINX Service Mesh if they’ve gained access to a Kubernetes cluster. Configuration and management endpoints are authenticated and authorized from external networks using Kubernetes authentication and Role-based Access Control (RBAC) policies. However, if an attacker can gain access to the internal overlay network, authentication and authorization policies can be bypassed; leaving NGINX Service Mesh exposed to unauthorized manipulation.