High severity7.6NVD Advisory· Published May 24, 2023· Updated Jun 17, 2026
CVE-2021-25748
CVE-2021-25748
Description
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/ingress-nginxGo | < 1.2.1 | 1.2.1 |
Affected products
17- osv-coords16 versionspkg:apk/chainguard/ingress-nginx-controllerpkg:apk/chainguard/ingress-nginx-controller-1.9pkg:apk/chainguard/ingress-nginx-controller-compatpkg:apk/chainguard/ingress-nginx-controller-compat-1.9pkg:apk/chainguard/ingress-nginx-controller-compat-fips-1.9pkg:apk/chainguard/ingress-nginx-controller-fipspkg:apk/chainguard/ingress-nginx-controller-fips-1.9pkg:apk/chainguard/ingress-nginx-controller-fips-compatpkg:apk/chainguard/kube-webhook-certgenpkg:apk/chainguard/kube-webhook-certgen-1.9pkg:apk/chainguard/kube-webhook-certgen-fipspkg:apk/chainguard/kube-webhook-certgen-fips-1.9pkg:apk/wolfi/ingress-nginx-controllerpkg:apk/wolfi/ingress-nginx-controller-compatpkg:apk/wolfi/kube-webhook-certgenpkg:golang/k8s.io/ingress-nginx
< 0+ 15 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.2.1
- Range: unspecified
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-863x-868h-968xghsaADVISORY
- github.com/kubernetes/ingress-nginx/issues/8686nvdIssue TrackingMitigationVendor AdvisoryWEB
- groups.google.com/g/kubernetes-security-announce/c/avaRYa9c7I8nvdMailing ListMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-25748ghsaADVISORY
- github.com/kubernetes/ingress-nginx/pull/8623ghsaWEB
- github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.2.1ghsaWEB
News mentions
0No linked articles in our index yet.