CVE-2025-1097 Scanner
CVE-2025-1097 Scanner - Configuration Injection vulnerability in Ingress-Nginx Controller
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
10 days
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Ingress-Nginx Controller is an open-source ingress controller for Kubernetes that manages HTTP and HTTPS routing for services within Kubernetes clusters. It plays a key role in traffic management between external clients and Kubernetes services. Commonly used in cloud-native environments, it helps DevOps teams and Kubernetes administrators handle external access to applications within the cluster. Ingress-Nginx Controller integrates with Kubernetes to offer features such as SSL/TLS termination, URL routing, and authentication. This software is critical in ensuring secure and efficient routing of external traffic to internal services. Security vulnerabilities within the Ingress-Nginx Controller can expose Kubernetes environments to significant risks, including unauthorized access and data leaks.
The Ingress-Nginx Controller contains a vulnerability where the `auth-tls-match-cn` annotation can be used to inject arbitrary configuration into the Nginx instance. This vulnerability allows an attacker to execute arbitrary code within the context of the ingress-nginx controller. As the ingress controller has access to sensitive information like Secrets across the Kubernetes cluster, the exploitation of this vulnerability could lead to the unauthorized disclosure of such Secrets. This issue is classified as high severity because of its potential to compromise the security and integrity of Kubernetes clusters.
The vulnerability occurs when an attacker injects arbitrary configuration into the Nginx controller using the `auth-tls-match-cn` annotation within an Ingress resource. By modifying the annotation value to include malicious directives, such as `ssl_engine` and other Nginx commands, the attacker can force the ingress-nginx controller to load unintended modules or execute arbitrary code. The injected configuration can also leak Secrets, which are accessible by the ingress controller in the default configuration. This vulnerability requires no authentication to exploit and can be triggered simply by creating or modifying an Ingress resource with the malicious annotation.
If exploited, this vulnerability can allow attackers to execute arbitrary code on the ingress-nginx controller. This could lead to unauthorized access to sensitive information, including cluster-wide Secrets that the controller has access to. The attack could escalate further, allowing the attacker to potentially take control of the entire Kubernetes environment. Additionally, the exploitation could result in the disruption of ingress traffic management, causing service outages or degraded application performance. The impact of this vulnerability is severe, making it critical to apply the necessary patches and mitigate exposure.
REFERENCES