CVE-2024-7646
📋 TL;DR
This vulnerability allows attackers with permission to create Ingress objects to bypass annotation validation and execute arbitrary commands, potentially compromising the ingress-nginx controller credentials. In default configurations, these credentials grant access to all cluster secrets, affecting Kubernetes clusters using ingress-nginx. Organizations using ingress-nginx with default settings are at risk.
💻 Affected Systems
- ingress-nginx
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise where attacker gains access to all secrets, potentially leading to data exfiltration, lateral movement, and complete control over the Kubernetes environment.
Likely Case
Privilege escalation leading to unauthorized access to sensitive secrets and potential deployment of malicious workloads within the cluster.
If Mitigated
Limited impact if proper RBAC controls restrict Ingress creation permissions and network policies isolate the ingress-nginx controller.
🎯 Exploit Status
Exploitation requires authenticated access with Ingress creation permissions; the vulnerability is well-documented in security advisories
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific ingress-nginx releases after fixes in PRs 11719 and 11721
Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/a1__cKjWkfA
Restart Required: Yes
Instructions:
1. Update ingress-nginx to patched version. 2. Restart ingress-nginx controller pods. 3. Verify annotation validation is enforced.
🔧 Temporary Workarounds
Restrict Ingress Creation Permissions
allImplement strict RBAC controls to limit who can create Ingress objects
kubectl create role restricted-ingress-creator --verb=create --resource=ingresses
kubectl create rolebinding restrict-ingress --role=restricted-ingress-creator --user=trusted-user
Network Policy Isolation
allApply network policies to restrict ingress-nginx controller network access
kubectl apply -f network-policy.yaml
🧯 If You Can't Patch
- Implement strict RBAC to limit Ingress object creation to minimal trusted users
- Monitor and audit all Ingress creation events and annotation modifications
🔍 How to Verify
Check if Vulnerable:
Check if your ingress-nginx version is before the patched releases mentioned in PRs 11719 and 11721Check Version:
kubectl describe pod -n ingress-nginx | grep ImageVerify Fix Applied:
Verify ingress-nginx controller version after update and test that annotation validation prevents command injection📡 Detection & Monitoring
Log Indicators:
- Unusual Ingress object creations
- Suspicious annotation modifications
- Unexpected command execution in ingress-nginx logs
Network Indicators:
- Unusual outbound connections from ingress-nginx pods
- Unexpected access to Kubernetes API server from ingress-nginx
SIEM Query:
source="kubernetes" AND (resource="ingresses" AND verb="create") AND user NOT IN ["trusted-users-list"]