CVE-2023-5043 – This CVE allows attackers to inject malicious a... (How to Fix)

Q: What is the severity of CVE-2023-5043?

CVE-2023-5043 has a CVSS score of 7.6 (HIGH). This CVE allows attackers to inject malicious annotations into Ingress nginx configurations, leading to arbitrary command execution on the host system. It affects Kubernetes clusters using ingress-nginx controller with vulnerable versions. Attackers can potentially gain control over the underlying node.

📋 TL;DR

This CVE allows attackers to inject malicious annotations into Ingress nginx configurations, leading to arbitrary command execution on the host system. It affects Kubernetes clusters using ingress-nginx controller with vulnerable versions. Attackers can potentially gain control over the underlying node.

💻 Affected Systems

Products:

ingress-nginx
Kubernetes ingress-nginx controller

Versions: All versions prior to 1.9.0, 1.8.2, 1.7.2, and 1.6.4

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects deployments where users can create or modify Ingress resources with annotations. Requires annotation injection capability.

📦 What is this software?

Ingress Nginx by Kubernetes

View all CVEs affecting Ingress Nginx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Kubernetes node, allowing lateral movement to other pods and nodes, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Container escape leading to host system compromise, enabling privilege escalation and access to sensitive cluster resources.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and annotation validation are implemented.

🌐 Internet-Facing: HIGH - Ingress controllers are typically internet-facing, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create/modify Ingress resources with malicious annotations. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.0, 1.8.2, 1.7.2, or 1.6.4

Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/pVsXsOpxYZo

Restart Required: Yes

Instructions:

1. Update ingress-nginx controller to patched version. 2. Update deployment: kubectl set image deployment/ingress-nginx-controller controller=registry.k8s.io/ingress-nginx/controller:v1.9.0. 3. Verify pods restart successfully.

🔧 Temporary Workarounds

Restrict Ingress Creation

all

Limit who can create/modify Ingress resources using Kubernetes RBAC

kubectl create role ingress-creator --verb=create,update --resource=ingresses
kubectl create rolebinding ingress-binding --role=ingress-creator --user=trusted-user

Annotation Validation

all

Use admission controllers to validate annotations before they're applied

kubectl apply -f validating-webhook-configuration.yaml

🧯 If You Can't Patch

Implement strict RBAC to limit Ingress resource creation/modification to trusted users only
Deploy network policies to isolate ingress-nginx controller and limit lateral movement

🔍 How to Verify

Check if Vulnerable:

Check ingress-nginx controller version: kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[*].spec.containers[*].image}'

Check Version:

kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[*].spec.containers[*].image}' | grep -E 'v1\.(9\.0|8\.2|7\.2|6\.4)'

Verify Fix Applied:

Verify controller is running patched version and test annotation injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual annotation patterns in Ingress resources
Suspicious commands executed in ingress-nginx pods
Unexpected pod creation from ingress-nginx namespace

Network Indicators:

Unexpected outbound connections from ingress-nginx pods
Lateral movement attempts from ingress-nginx namespace

SIEM Query:

source="kubernetes" AND (resource.type="ingress" AND annotation contains suspicious_pattern) OR (pod.name contains "ingress-nginx" AND log contains "exec" OR "command")

📊 Metadata

CVE ID: CVE-2023-5043

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-20

Published: October 25, 2023

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/10/25/4 Mailing List,Third Party Advisory
https://github.com/kubernetes/ingress-nginx/issues/10571 Issue Tracking,Mitigation,Vendor Advisory
https://groups.google.com/g/kubernetes-security-announce/c/pVsXsOpxYZo Mailing List,Mitigation
https://security.netapp.com/advisory/ntap-20240307-0012/
http://www.openwall.com/lists/oss-security/2023/10/25/4 Mailing List,Third Party Advisory
https://github.com/kubernetes/ingress-nginx/issues/10571 Issue Tracking,Mitigation,Vendor Advisory
https://groups.google.com/g/kubernetes-security-announce/c/pVsXsOpxYZo Mailing List,Mitigation
https://security.netapp.com/advisory/ntap-20240307-0012/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5043, you might also want to check these: