CVE-2025-1098 Scanner
CVE-2025-1098 Scanner - Configuration Injection vulnerability in Ingress-Nginx Controller
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
9 days 14 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Ingress-Nginx Controller is a widely used open-source ingress controller for Kubernetes, providing HTTP and HTTPS routing for Kubernetes services. It plays a critical role in managing the traffic between external clients and services running inside Kubernetes clusters. The Ingress-Nginx Controller is deployed in cloud and on-premise environments where Kubernetes clusters are used for container orchestration. It integrates with Kubernetes to provide flexible routing, SSL/TLS termination, and other ingress-related features. This software is commonly used by DevOps teams and cloud infrastructure engineers in production-grade Kubernetes environments. Due to its widespread adoption, security issues in this controller can have significant impact on the overall security posture of Kubernetes clusters.
A security vulnerability was discovered in the Ingress-Nginx Controller, where the `mirror-target` and `mirror-host` annotations can be exploited to inject arbitrary configuration into the Nginx instance. The issue allows an attacker to execute arbitrary code within the Nginx context, leading to potential code execution on the ingress-nginx controller. The injected configuration could also lead to the exposure of sensitive information, such as Secrets that the controller has access to. This vulnerability is classified as high severity, as it allows unauthorized users to manipulate the controller's configuration without proper authentication or validation.
The vulnerability arises from the use of unsanitized mirror-target and mirror-host annotations in the Ingress resource. By crafting a malicious Ingress resource with these annotations, an attacker can inject arbitrary Nginx configuration, which can include directives like `load_module` or other malicious commands. This results in the execution of arbitrary code in the context of the ingress-nginx controller, which is capable of accessing sensitive cluster-wide secrets. The exploitation of this vulnerability does not require authentication, making it particularly dangerous if an attacker gains access to the Kubernetes environment. The malicious configuration injection is processed when the Ingress object is created or updated, triggering unintended behavior in the controller.
If exploited, this vulnerability can lead to the execution of arbitrary code on the ingress-nginx controller, potentially allowing the attacker to take control of the cluster's ingress traffic management. The attacker could access sensitive secrets that the controller has access to, further compromising the security of the entire Kubernetes cluster. This could lead to data leakage, privilege escalation, and potential disruption of services managed by the ingress controller. The attacker could also escalate attacks to other components within the cluster, leading to a full compromise of the Kubernetes environment.
REFERENCES
