9.8
CVE-2025-1974
- EPSS 99.1%
- Veröffentlicht 24.03.2025 23:28:48
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle jordan@liggitt.net
- CVE-Watchlists
- Unerledigt
ingress-nginx admission controller RCE escalation
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerkubernetes
≫
Produkt
ingress-nginx
Default Statusunaffected
Version <=
1.11.4
Version
0
Status
affected
Version
1.12.0
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 99.1% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| jordan@liggitt.net | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-653 Improper Isolation or Compartmentalization
The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://https://github.com/kubernetes/kubernetes/issues/131009
https://security.netapp.com/advisory/ntap-20250328-0008/
https://github.com/B1ack4sh/Blackash-CVE-2025-1974
https://www.exploit-db.com/exploits/52475