CVE-2021-25746

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object in the networking.k8s.io or extensions API group to obtain the credentials of the ingress-nginx controller. In the default configuration, that...

CVE-2021-25746

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object in the networking.k8s.io or extensions API group to obtain the credentials of the ingress-nginx controller. In the default configuration, that...

Default configuration

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules.http.paths.path field of an Ingress object in the networking.k8s.io or extensions API group to obtain the credentials of the ingress-nginx controller. In the default...

CVE-2021-25746

CVE-2021-25746 affects the ingress-nginx controller. A user who can create or update Ingress objects can read the controller’s credentials by manipulating .metadata.annotations in an Ingress (networking.k8s.io or extensions API group). In the default configuration, those credentials grant access ...

CVE-2021-25746 Ingress-nginx directive injection via annotations

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object in the networking.k8s.io or extensions API group to obtain the credentials of the ingress-nginx controller. In the default configuration, that...

CVE-2021-25745 Ingress-nginx path can be pointed to service account token file

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules.http.paths.path field of an Ingress object in the networking.k8s.io or extensions API group to obtain the credentials of the ingress-nginx controller. In the default...

CVE-2021-25745

The connected records confirm CVE-2021-25745 affects ingress-nginx in Kubernetes. A user who can create/update Ingress objects can abuse spec.rules[].http.paths[].path (in networking.k8s.io or extensions) to obtain the credentials of the ingress-nginx controller. In the default configuration, tha...

PT-2022-9683 · Unknown · Ingress-Nginx

Name of the Vulnerable Software and Affected Versions: ingress-nginx affected versions not specified Description: A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object to obtain the credentials of...

CVE-2022-27495

On all versions 1.3.x fixed in 1.4.0 NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

CVE-2022-27495

On all versions 1.3.x fixed in 1.4.0 NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

Design/Logic Flaw

On all versions 1.3.x fixed in 1.4.0 NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

CVE-2022-27495

Summary of CVE-2022-27495 : The vulnerability affects NGINX Service Mesh (NGINX Service Mesh control plane) where endpoints are exposed to the cluster overlay network in versions 1.3.x; fixed in 1.4.0. The F5 advisory K94093538 lists affected branch 1.x (1.3.0–1.3.1) with fix in 1.4.0, and descri...

CVE-2022-27495

On all versions 1.3.x fixed in 1.4.0 NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

Internet Bug Bounty: rubygems.org Batching attack to `confirmation_token` by bypass rate limit

The following is copied from hackerone's report. https://hackerone.com/reports/1529183 --- I confirmed that EmailConfirmationsController has the same problem as https://hackerone.com/reports/449356...

F5 NGINX Service Mesh 访问控制错误漏洞

F5 NGINX Service Mesh F5 NSM is a fully integrated lightweight service mesh from F5 USA. Leveraging a data plane powered by NGINX Plus to manage container traffic in Kubernetes environments, F5 NGINX Service Mesh suffers from an access control error vulnerability that can be exploited by attacker...

CVE-2022-27495

On all versions 1.3.x fixed in 1.4.0 NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

Ubuntu: Security Advisory (USN-5371-2)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-5371-2 nginx vulnerability

USN-5371-1 fixed several vulnerabilities in nginx. This update provides the fix for CVE-2021-3618 for Ubuntu 22.04 LTS. Original advisory details: It was discovered that nginx Lua module mishandled certain inputs. An attacker could possibly use this issue to perform an HTTP Request Smuggling...

USN-5371-2: nginx vulnerability

USN-5371-1 fixed several vulnerabilities in nginx. This update provides the fix for CVE-2021-3618 for Ubuntu 22.04 LTS. Original advisory details: It was discovered that nginx Lua module mishandled certain inputs. An attacker could possibly use this issue to perform an HTTP Request Smuggling...

The vulnerability of the njs_function_frame_alloc() function in the njs interpreter of the nginx server allows attackers to compromise the confidentiality, integrity, and accessibility of information.

The vulnerability of the njsfunctionframealloc function in the njs interpreter of the nginx server is related to the use of memory after it is freed. Exploiting this vulnerability could allow a remote attacker to compromise the confidentiality, integrity, and accessibility of information...