A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
This repository contains a proof of concept (PoC) for CVE-2024-7646, a vulnerability in the NGINX Ingress Controller for Kubernetes. The issue allows an attacker to access the Kubernetes Service Account (SA) token by exploiting improper input validation in the nginx.ingress.kubernetes.io/auth-tls-verify-client
annotation.
PoC Overview
The PoC demonstrates how to exploit this vulnerability by creating an Ingress resource that allows the attacker to access the SA token via the /show-token
endpoint.
What do you think?
It is nice to know your opinion. Leave a comment.