CVE-2025-24513
MEDIUM4.8EPSS 0.14%ingress-nginx controller - auth secret file path traversal vulnerability
發布日:2025/3/25修改日:2026/5/20
描述
A security issue was discovered in [ingress-nginx](https://github.com/kubernetes/ingress-nginx) where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.
受影響套件(2)
- Go/k8s.io/ingress-nginxfrom 0, < 1.11.5
- Go/k8s.io/ingress-nginxfrom 0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L |
參考連結(8)
- ADVISORYhttps://github.com/advisories/GHSA-242m-6h72-7hgp
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-24513
- PATCHhttps://github.com/kubernetes/ingress-nginx
- WEBhttps://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
- WEBhttps://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
- WEBhttps://github.com/kubernetes/kubernetes/issues/131005
- WEBhttps://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ
- WEBhttps://security.netapp.com/advisory/ntap-20250328-0008