Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-8553: auth-type basic annotation vulnerability #5126

Closed
aledbf opened this issue Feb 19, 2020 · 4 comments
Closed

CVE-2020-8553: auth-type basic annotation vulnerability #5126

aledbf opened this issue Feb 19, 2020 · 4 comments

Comments

@aledbf
Copy link
Member

aledbf commented Feb 19, 2020

A security issue was discovered in ingress-nginx versions older than v0.28.0. The issue is of medium severity, and upgrading is encouraged to fix the vulnerability.

Am I vulnerable?

The vulnerability exists only if the annotation nginx.ingress.kubernetes.io/auth-type: basic is used.

How do I upgrade?

Follow installation instructions here

Vulnerability Details

A vulnerability has been discovered where a malicious user could create a new Ingress definition resulting in the replacement of the password file. The vulnerability requires that the victim namespace and/or secret use a hyphen in the name.

This scenario requires privileges in the cluster to create and read ingresses and also create secrets.

This issue is filed as CVE-2020-8553.

/close

@k8s-ci-robot
Copy link
Contributor

@aledbf: Closing this issue.

In response to this:

A security issue was discovered in ingress-nginx versions older than v0.28.0. The issue is of medium severity, and upgrading is encouraged to fix the vulnerability.

Am I vulnerable?

The vulnerability exists only if the annotation nginx.ingress.kubernetes.io/auth-type: basic is used.

How do I upgrade?

Follow installation instructions here

Vulnerability Details

A vulnerability has been discovered where a malicious user could create a new Ingress definition resulting in the replacement of the password file. The vulnerability requires that the victim namespace and/or secret use a hyphen in the name.

This scenario requires privileges in the cluster to create and read ingresses and also create secrets.

This issue is filed as CVE-2020-8553.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@galaktipus
Copy link

Any relevant commit for the issue? I couldn't find one regarding the issue number #5126

@atoptsoglou
Copy link
Contributor

Any relevant commit for the issue? I couldn't find one regarding the issue number #5126

I had the same question. I went through the changelog and I saw no reference of the CVE instead I saw another CVE and a sentence which looks like with this issue. My guess was that there is a typo. Did a pull request ed81ee3 to see if this is indeed the case. If it is, then the relevant commit should be https://github.com/kubernetes/ingress-nginx/pull/4960/commits
However, I would prefer that someone confirm my comments.

@aledbf
Copy link
Member Author

aledbf commented Jul 30, 2020

@atoptsoglou that's correct. The description in the CVE is missing the part of privileges related to secrets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants