Veracode Vulnerability DatabaseVERACODE:40686Improper Input Validation
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
16.1%
github.com/kubernetes/ingress-nginx is vulnerable to Improper Input Validation. The vulnerability exists when a newline character is used in spec.rules[].http.paths[].path which allows an attacker to create or update ingress objects and gain access to sensitive information.
References
cloud.ibm.com/status/security?query=IBM+Cloud+Kubernetes+Service+is+affected+by+a+Kubernetes+Ingress+Controller+security+vulnerability+%28CVE-2021-25748%29%0D%0A%0D
github.com/advisories/GHSA-863x-868h-968x
github.com/kubernetes/ingress-nginx/commit/bd1eb048b7e828d62bc92c3ecaeb8288efa91365
github.com/kubernetes/ingress-nginx/issues/8686
github.com/kubernetes/ingress-nginx/pull/8623
groups.google.com/g/kubernetes-security-announce/c/avaRYa9c7I8
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
16.1%