Ingress-nginx `path` sanitization can be bypassed with newline character

CVE-2021-25748 is a vulnerability in ingress-nginx where the sanitization of the spec.rules[].http.paths[].path field in Ingress objects can be bypassed using a newline character [1][4]. This insufficient input validation allows an attacker to inject malicious content that leads to the exposure of the ingress-nginx controller's credentials.

An attacker must have the ability to create or update Ingress objects in the cluster. The newline character bypasses the existing sanitization logic, enabling the injection of arbitrary content into the generated NGINX configuration [4]. This attack is particularly relevant in multitenant environments where non-admin users are granted permissions to manage Ingress resources.

Successful exploitation grants the attacker the credentials of the ingress-nginx controller. In the default configuration, this service account has access to all secrets in the cluster, potentially leading to full cluster compromise [1][4].

The vulnerability is fixed in ingress-nginx version 1.2.1 [4]. Users unable to upgrade immediately can mitigate the issue by implementing an admission policy that restricts the path field to a set of known safe characters, as suggested in the security advisory [4]. The fix was implemented in pull request #8623 [2].