#kubernetes

**Why are we publishing this Kubernetes CVE in the Security Update Guide?** We are republishing these CVEs because on March 24, 2025, the Kubernetes SRC (Security Response Committee) published 5 CVEs that disclose vulnerabilities in the Kubernetes NGINX Ingress Controller. Some of these vulnerabilities might affect you if you have this component running in your Kubernetes cluster. **How do I know if I am affected by these vulnerabilities?** If you are running your own **Kubernetes NGINX Ingress Controller, please review the CVEs and mitigate by updating to the latest patch versions** (v1.11.5 and v1.12.1). **If you are using the** Managed NGINX ingress with the application routing add-on on AKS, the patches are getting rolled out to all regions and should be completed in a few days. No action is required. The status of the AKS deployment can be monitored here: AKS Release Status. **Where can I find more information about these vulnerabilities?** CVE ID Link to Github Issue CVE...

A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.

UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.

Today, ensuring the security and integrity of your software supply chain is more critical than ever. Red Hat Advanced Cluster Security for Kubernetes is focused on providing users the tools to tackle the greatest security challenges.One essential tool in this effort is the software bill of materials (SBOM), which provides a comprehensive list of all components and libraries used within a software product. With the growing importance of SBOMs for supply chain security—especially in light of the NIST Executive Order—Red Hat Advanced Cluster Security 4.7 introduces new features for generating

Confidential computing strengthens application security by providing isolation, encryption and attestation so data remains protected while in use. By integrating these security features with a scalable, high-performance artificial intelligence (AI) and machine learning (ML) ecosystem, organizations can adopt a defense-in-depth approach. This is especially critical for regulated industries handling sensitive data, such as Personally Identifiable Information (PII), Protected Health Information (PHI), and financial information, enabling them to leverage AI with confidence.In this article, we expl

### Impact The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventSubscription` (BMCES). An adversary Kubernetes account with only namespace level roles (e.g. a tenant controlling a namespace) may create a BMCES in their authorized namespace and then load Secrets from their unauthorized namespaces to their authorized namespace via the Baremetal Operator controller's cluster scoped privileges, causing Secret leakage. ### Patches The patch makes BMO refuse to read Secrets from other namespace than where the corresponding Bare Metal Host (BMH) resource is. The patch does not change the `BMCEventSubscription` API in BMO, but stricter validation will deny the request at admission time. It will also prevent the controller reading such Secrets, in case the BMCES resource has already been deployed. The issue...

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

A security vulnerability was discovered in Kubernetes that could allow a user with create pod permission to exploit gitRepo volumes to access local git repositories belonging to other pods on the same node. This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.

A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host. This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.

### Summary There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. I believe that it exists for v4 only. I have not yet developed a PoC. V5 is well designed and instead builds the signed query from the same message that will be consumed. ### Details #### What is verified The data['SignedQuery'] is the string that will be verified by the public key. It is defined here: https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217 THe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery. For example, given: SAMLRequest=a&SAMLResponse=idpsigned SAMLResponse=idpsigned will be set as sigQuery, then later verified #### What is actually processed Processing uses SAMLReques...