CVE-2026-4342
HIGH8.8EPSS 0.06%ingress-nginx comment-based nginx configuration injection
發布日:2026/3/20修改日:2026/5/20
描述
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
受影響套件(2)
- Go/k8s.io/ingress-nginxfrom 0, < 0.0.0-20260319175635-5183b7d86137
- Go/k8s.io/ingress-nginxfrom 0, < 0.0.0-20260319175635-5183b7d86137
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://github.com/advisories/GHSA-f53h-mxv9-cp98
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-4342
- PATCHhttps://github.com/kubernetes/ingress-nginx
- WEBhttps://github.com/kubernetes/ingress-nginx/commit/5183b7d861377a9a2f6d2acaf44f8f6abd5cd0aa
- WEBhttps://github.com/kubernetes/kubernetes/issues/137893
- WEBhttp://www.openwall.com/lists/oss-security/2026/03/19/9