github.com/kubernetes/ingress-nginx is vulnerable to information disclosure. An attacker can obtain the credentials of the ingress-nginx controller by creating or updating ingress objects through the spec.rules[].http.paths[].path
field of an ingress object(in the networking.k8s.io or extensions API group) that credential has access to all secrets in the cluster when using the default configuration.
github.com/advisories/GHSA-pvmg-xgmx-9mxh
github.com/kubernetes/ingress-nginx/commit/89ed571d2a8c7c2486e9671808e27a7cfbe3b40d
github.com/kubernetes/ingress-nginx/issues/8502
github.com/kubernetes/ingress-nginx/pull/8456
groups.google.com/g/kubernetes-security-announce/c/7vQrpDZeBlc
security.netapp.com/advisory/ntap-20220609-0006/