Moderate severityNVD Advisory· Published Jul 29, 2020· Updated Aug 4, 2024

Kubernetes ingress-nginx Compromise of auth via subset/superset namespace names

CVE-2020-8553

Description

The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
k8s.io/ingress-nginxGo	< 0.28.0	0.28.0

Affected products

Kubernetes/Ingress Nginxv5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-hhpm-74pm-hf35ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-8553ghsaADVISORY
github.com/kubernetes/ingress-nginx/issues/5126ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000