Ingress-Nginx存在多个漏洞（严重程度9.8）

Ingress-Nginx存在多个漏洞（严重程度9.8）
Multiple vulnerabilities in ingress-Nginx (Score 9.8)

原始链接: https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ

Ingress-nginx 中发现了严重漏洞（CVE-2025-1974，CVSS 9.8）及其他问题，可能导致在您的 Kubernetes 集群中执行任意代码和泄露 Secrets。这会影响安装了 ingress-nginx 的系统。 **您是否受到影响？** 使用 `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx` 检查是否安装了 ingress-nginx。 **受影响的版本：** v1.11.5 和 v1.12.1 之前的全部版本。 **缓解措施：** 请立即将 ingress-nginx 升级到 v1.11.5、v1.12.1 或更高版本，并遵循官方升级文档进行操作。作为临时措施，您可以通过禁用 ingress-nginx 的 Validating Admission Controller 来部分缓解风险。如果您怀疑遭受攻击，请联系 [email protected]。有关每个 CVE 的详细信息，请参阅链接的 GitHub 问题。 **简而言之：尽快更新您的 ingress-nginx 版本！**

Hacker News 最新 | 过去 | 评论 | 提问 | 展示 | 招聘 | 提交登录 Ingress-Nginx 多个漏洞（严重程度 9.8）（groups.google.com） numbsafari 21分钟前 22 分 | 隐藏 | 过去 | 收藏 | 1 评论 IlikeKitties 2分钟前 [–] 这是一个相当可怕的 CVE。> Ingress-nginx 中发现了多个问题，这些问题可能导致在 ingress-nginx 控制器上下文中执行任意代码。这可能导致泄露控制器可以访问的 Secrets。（请注意，在默认安装中，控制器可以访问集群范围内的所有 Secrets。）除此之外，如果攻击者足够老练，它也可能被用来嗅探其他连接中的客户端密钥。回复加入我们，参加 6 月 16-17 日在旧金山举行的 AI 初创公司学校！指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系我们搜索：

Nginx 已迁移至 GitHub 2024-09-08

CVE-2025-29927 – Next.js (这个不需要翻译，因为已经是英文缩写和专业术语了) 2025-03-22

（评论） 2024-07-19

（评论） 2024-03-27

原文

Hello Kubernetes Community,

Multiple issues have been discovered in ingress-nginx that can result in arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

The most serious of these issues has been rated Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (Score: 9.8), and assigned CVE-2025-1974.

Am I vulnerable?

This issue affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected.
You can check this by running kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

Affected Versions

How do I mitigate this vulnerability?

ACTION REQUIRED: The following steps must be taken to mitigate these vulnerabilities: Upgrade ingress-nginx to v1.11.5, v1.12.1, or any later version.

Before applying the patch, these issues can be partially mitigated by disabling the Validating Admission Controller functionality of ingress-nginx.

Fixed Versions

To upgrade, refer to the documentation: Upgrading Ingress-nginx

Detection

If you find evidence that these vulnerabilities have been exploited, please contact [email protected]

Additional Details

See these GitHub issues for more details:
CVE-2025-24513: https://github.com/kubernetes/kubernetes/issues/131005

CVE-2025-24514: https://github.com/kubernetes/kubernetes/issues/131006

CVE-2025-1097: https://github.com/kubernetes/kubernetes/issues/131007

CVE-2025-1098: https://github.com/kubernetes/kubernetes/issues/131008

CVE-2025-1974: https://github.com/kubernetes/kubernetes/issues/131009

Acknowledgements

These vulnerabilities were reported by Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben Sasson, from Wiz

These issues were fixed and coordinated by Marco Ebert, James Strong, Tabitha Sable, and the Kubernetes Security Response Committee

Thank You,

Tabitha Sable, on behalf of the Kubernetes Security Response Committee