{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1097", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "state": "PUBLISHED", "assignerShortName": "kubernetes", "dateReserved": "2025-02-07T00:11:49.551Z", "datePublished": "2025-03-24T23:29:05.879Z", "dateUpdated": "2025-03-27T03:55:13.954Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ingress-nginx", "repo": "https://github.com/kubernetes/ingress-nginx", "vendor": "kubernetes", "versions": [{"lessThanOrEqual": "1.11.4", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "affected", "version": "1.12.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nir Ohfeld"}, {"lang": "en", "type": "finder", "value": "Ronen Shustin"}, {"lang": "en", "type": "finder", "value": "Sagi Tzadik"}, {"lang": "en", "type": "finder", "value": "Hillai Ben Sasson"}], "datePublic": "2025-03-24T19:36:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A security issue was discovered in <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/kubernetes/ingress-nginx\">ingress-nginx</a> where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"}], "value": "A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"}], "impacts": [{"capecId": "CAPEC-137", "descriptions": [{"lang": "en", "value": "CAPEC-137 Parameter Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2025-03-24T23:29:05.879Z"}, "references": [{"url": "https://github.com/kubernetes/kubernetes/issues/131007"}], "source": {"discovery": "EXTERNAL"}, "title": "ingress-nginx controller - configuration injection via unsanitized auth-tls-match-cn annotation", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-26T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-1097"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T03:55:13.954Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1097", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-25T13:40:05.020473Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-25T13:40:01.017Z"}}], "cna": {"title": "ingress-nginx controller - configuration injection via unsanitized auth-tls-match-cn annotation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Nir Ohfeld"}, {"lang": "en", "type": "finder", "value": "Ronen Shustin"}, {"lang": "en", "type": "finder", "value": "Sagi Tzadik"}, {"lang": "en", "type": "finder", "value": "Hillai Ben Sasson"}], "impacts": [{"capecId": "CAPEC-137", "descriptions": [{"lang": "en", "value": "CAPEC-137 Parameter Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/kubernetes/ingress-nginx", "vendor": "kubernetes", "product": "ingress-nginx", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.11.4"}, {"status": "affected", "version": "1.12.0"}], "defaultStatus": "unaffected"}], "datePublic": "2025-03-24T19:36:00.000Z", "references": [{"url": "https://github.com/kubernetes/kubernetes/issues/131007"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)", "supportingMedia": [{"type": "text/html", "value": "A security issue was discovered in <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/kubernetes/ingress-nginx\">ingress-nginx</a> where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2025-03-24T23:29:05.879Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1097", "state": "PUBLISHED", "dateUpdated": "2025-03-27T03:55:13.954Z", "dateReserved": "2025-02-07T00:11:49.551Z", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "datePublished": "2025-03-24T23:29:05.879Z", "assignerShortName": "kubernetes"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)"}], "id": "CVE-2025-1097", "lastModified": "2025-03-25T00:15:13.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2025-03-25T00:15:13.590", "references": [{"source": "jordan@liggitt.net", "url": "https://github.com/kubernetes/kubernetes/issues/131007"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{"bugzilla": {"description": "ingress-nginx: ingress-nginx controller - configuration injection via unsanitized auth-tls-match-cn annotation", "id": "2354657", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354657"}, "csaw": false, "cwe": "CWE-20", "details": ["A flaw was found in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This issue can lead to arbitrary code execution in the context of the ingress-nginx controller and disclosure of Secrets accessible to the controller. Note that the controller can access all Secrets cluster-wide in the default installation."], "name": "CVE-2025-1097", "public_date": "2025-03-24T23:29:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1097\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1097\nhttps://github.com/kubernetes/kubernetes/issues/131007"], "statement": "Red Hat Product Security has determined that this vulnerability does not affect any currently supported Red Hat product. This assessment may evolve based on further analysis and discovery. For more information about this vulnerability and the products it affects, please see the linked references."}