Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-8553: ingress-nginx auth-type basic annotation vulnerability #126818

Closed
aledbf opened this issue Feb 19, 2020 · 7 comments
Closed

CVE-2020-8553: ingress-nginx auth-type basic annotation vulnerability #126818

aledbf opened this issue Feb 19, 2020 · 7 comments
Labels
area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@aledbf
Copy link
Member

aledbf commented Feb 19, 2020

A security issue was discovered in ingress-nginx versions older than v0.28.0. The issue is of medium severity, and upgrading is encouraged to fix the vulnerability.

Am I vulnerable?

The vulnerability exists only if the annotation nginx.ingress.kubernetes.io/auth-type: basic is used.

How do I upgrade?

Follow installation instructions here

Vulnerability Details

A vulnerability has been discovered where a malicious user could create a new Ingress definition resulting in the replacement of the password file. The vulnerability requires that the victim namespace and/or secret use a hyphen in the name.

This scenario requires privileges in the cluster to create and read ingresses and also create secrets.

This issue is filed as CVE-2020-8553.

/close
@k8s-ci-robot
Copy link
Contributor

@aledbf: Closing this issue.

In response to this:

A security issue was discovered in ingress-nginx versions older than v0.28.0. The issue is of medium severity, and upgrading is encouraged to fix the vulnerability.

Am I vulnerable?

The vulnerability exists only if the annotation nginx.ingress.kubernetes.io/auth-type: basic is used.

How do I upgrade?

Follow installation instructions here

Vulnerability Details

A vulnerability has been discovered where a malicious user could create a new Ingress definition resulting in the replacement of the password file. The vulnerability requires that the victim namespace and/or secret use a hyphen in the name.

This scenario requires privileges in the cluster to create and read ingresses and also create secrets.

This issue is filed as CVE-2020-8553.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tamir-ben
Copy link

Any relevant commit for the issue? I couldn't find one regarding the issue number #126818

@atoptsoglou
Copy link

Any relevant commit for the issue? I couldn't find one regarding the issue number #126818

I had the same question. I went through the changelog and I saw no reference of the CVE instead I saw another CVE and a sentence which looks like with this issue. My guess was that there is a typo. Did a pull request kubernetes/ingress-nginx@ed81ee3 to see if this is indeed the case. If it is, then the relevant commit should be https://github.com/kubernetes/ingress-nginx/pull/4960/commits
However, I would prefer that someone confirm my comments.

@aledbf
Copy link
Member Author

aledbf commented Jul 30, 2020

@atoptsoglou that's correct. The description in the CVE is missing the part of privileges related to secrets.

@cji
Copy link
Member

cji commented Aug 20, 2024

/transfer kubernetes

@k8s-ci-robot k8s-ci-robot transferred this issue from kubernetes/ingress-nginx Aug 20, 2024
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 20, 2024
@cji
Copy link
Member

cji commented Aug 20, 2024

/area security
/kind bug
/committee security-response
/triage accepted
/lifecycle frozen
/label official-cve-feed

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. area/security kind/bug Categorizes issue or PR as related to a bug. committee/security-response Denotes an issue or PR intended to be handled by the product security committee. triage/accepted Indicates an issue or PR is ready to be actively worked on. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 20, 2024
@cji
Copy link
Member

cji commented Aug 20, 2024

For improving the CVE feed:
/retitle CVE-2020-8553: ingress-nginx auth-type basic annotation vulnerability

@k8s-ci-robot k8s-ci-robot changed the title CVE-2020-8553: auth-type basic annotation vulnerability CVE-2020-8553: ingress-nginx auth-type basic annotation vulnerability Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aledbf @cji @k8s-ci-robot @atoptsoglou @tamir-ben