Ingress-nginx path can be pointed to service account token file

Vulnerability

A security issue exists in ingress-nginx where a user who can create or update Ingress objects (in the networking.k8s.io or extensions API group) can use the spec.rules[].http.paths[].path field to point to the service account token file of the ingress-nginx controller [1][3][4]. This affects ingress-nginx versions prior to v1.2.0 [3][4]. In the default configuration, the controller's service account token has access to all secrets in the cluster [1][3][4].

Exploitation

An attacker with the ability to create or update Ingress objects (requires at least create or update permissions on the Ingress resource) can set the spec.rules[].http.paths[].path field to a value that references the controller's service account token file path [3][4]. This is a network-accessible attack that does not require user interaction beyond the attacker's own authenticated API request (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L) [3][4]. Multitenant environments where non-admin users have permissions to create Ingress objects are most affected [3][4].

Impact

Successful exploitation allows the attacker to read the service account token of the ingress-nginx controller [3][4]. Since in the default configuration this token has access to all secrets in the Kubernetes cluster, the attacker can then read any secret, leading to a high confidentiality impact [1][3][4]. The attacker may also gain limited integrity and availability impact (CVSS sub-scores indicate low impact on those axes) [3][4].

Mitigation

The vulnerability is fixed in ingress-nginx versions v1.2.0-rc.0 and v1.2.0 [3][4]. Users unable to upgrade immediately can implement an admission policy that restricts the spec.rules[].http.paths[].path field on the networking.k8s.io/Ingress resource to known safe characters, for example by using an admission webhook or the annotation-value-word-blocklist approach [3][4]. There is no known exploitation as of the advisory's publication date.