InfoSecBulletin Cybersecurity for mankind
Three unpatched security flaws in the NGINX Ingress controller for Kubernetes have been revealed. These flaws have a high severity level and could be used by a malicious actor to steal secret credentials from the cluster.
The vulnerabilities are as follows:
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
CVE-2022-4886 (CVSS score: 8.8) – Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller.
CVE-2023-5043 (CVSS score: 7.6) – Ingress-nginx annotation injection causes arbitrary command execution.
CVE-2023-5044 (CVSS score: 7.6) – Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
The vulnerabilities CVE-2023-5043 and CVE-2023-5044 allow an attacker to steal secret credentials from the cluster.
Exploiting the flaws could let a person inject code into the ingress controller process, and get access to sensitive data without permission.
CVE-2022-4886 allows an attacker to steal Kubernetes API credentials from the ingress controller by exploiting a lack of validation in the “spec.rules[].http.paths[].path” field.
The operator can define the routing of incoming HTTP paths in the Ingress object. However, the vulnerable application does not properly check the validity of the inner path. This means that the inner path can point to an internal file that contains the service account token, which is used for authentication against the API server.
To address the issue, the software maintainers have provided solutions. These involve enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag. By doing so, the creation of Ingress objects with invalid characters is prevented, and extra limitations are enforced.
ARMO said that updating NGINX to version 1.19, alongside adding the “–enable-annotation-validation” command-line configuration, resolves CVE-2023-5043 and CVE-2023-5044.
“Although they point in different directions, all of these vulnerabilities point to the same underlying problem,” Hirschberg said.
For more information click here.
