Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

GHSA-mgvx-rpfc-9mpv: ingress-nginx admission controller RCE escalation

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

ghsa
Open in Source
#vulnerability#kubernetes#rce#nginx#auth
GHSA-fwwp-xcxw-39vq: ingress-nginx controller - configuration injection via unsanitized auth-url annotation

A security issue was discovered in [ingress-nginx](https://github.com/kubernetes/ingress-nginx) where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

GHSA-vg63-w3p9-jc9m: ingress-nginx controller - configuration injection via unsanitized mirror annotations

A security issue was discovered in [ingress-nginx](https://github.com/kubernetes/ingress-nginx) where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

GHSA-823x-fv5p-h7hw: ngress-nginx controller - configuration injection via unsanitized auth-tls-match-cn annotation

A security issue was discovered in [ingress-nginx](https://github.com/kubernetes/ingress-nginx) where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

GHSA-242m-6h72-7hgp: ingress-nginx controller - auth secret file path traversal vulnerability

A security issue was discovered in [ingress-nginx](https://github.com/kubernetes/ingress-nginx) where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.

GHSA-v3vp-fg2v-g7q4: OpenDaylight SFC Denial of Service (DoS)

Use of incorrectly resolved name or reference in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to cause a Denial of Service (DoS).

GHSA-x65v-g96x-c6gw: OpenDaylight SFC Allows Unauthorized Privileged Execution via Crafted Request

An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request.

GHSA-xp75-w7vq-5x6j: OpenDaylight SFC Insecure Shiro Cookie Configuration

Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack.

How to Delete Your Data From 23andMe

DNA-testing company 23andMe has filed for bankruptcy, which means the future of the company’s vast trove of customer data is unknown. Here’s what that means for your genetic data.

5 Unexpected Devices You Didn’t Know Could Spread Malware

When you think of malware, your mind probably jumps to malicious downloads or email attachments. But it turns…