GCVE - cpe:2.3:a:kubernetes:kubernetes_ingress-nginx:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:kubernetes:kubernetes_ingress-nginx:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Kubernetes (`3ee05930-9e42-51b2-ad52-30832f573b15`)
Product	Kubernetes Ingress Nginx (`d4d569c9-fb35-5f30-b363-da9775791e4e`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2021-25748`	vulnerable	2026-06-03 14:44:05.821092	Ingress-nginx `path` sanitization can be bypassed with newline character HIGH (7.6) A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. Published: 2023-05-24T00:00:00.000Z Updated: 2025-01-16T21:23:39.341Z Open on db.gcve.eu Reference links https://groups.google.com/g/kubernetes-security-announce/c/avaRYa9c7I8 https://github.com/kubernetes/ingress-nginx/issues/8686	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-25746`	vulnerable	2026-06-03 14:44:05.820726	Ingress-nginx directive injection via annotations HIGH (7.6) A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. Published: 2022-05-06T00:50:15.541Z Updated: 2024-09-17T03:48:11.881Z Open on db.gcve.eu Reference links https://groups.google.com/g/kubernetes-security-announce/c/hv2-SfdqcfQ https://github.com/kubernetes/ingress-nginx/issues/8503 https://security.netapp.com/advisory/ntap-20220609-0006/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-25745`	vulnerable	2026-06-03 14:44:05.820317	Ingress-nginx path can be pointed to service account token file HIGH (7.6) A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. Published: 2022-05-06T00:50:14.042Z Updated: 2024-09-16T18:24:11.711Z Open on db.gcve.eu Reference links https://groups.google.com/g/kubernetes-security-announce/c/7vQrpDZeBlc https://github.com/kubernetes/ingress-nginx/issues/8502 https://security.netapp.com/advisory/ntap-20220609-0006/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-25742`	vulnerable	2026-06-03 14:44:05.814359	Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces HIGH (7.6) A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. Published: 2021-10-29T04:05:10.713Z Updated: 2024-09-16T23:06:12.392Z Open on db.gcve.eu Reference links https://groups.google.com/g/kubernetes-security-announce/c/mT4JJxi9tQY https://github.com/kubernetes/ingress-nginx/issues/7837 https://security.netapp.com/advisory/ntap-20211203-0001/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Kubernetes Ingress Nginx

PURL mappings

Vulnerability references

Contribute