9.8

CVE-2025-1974

Warnung
Medienbericht

ingress-nginx admission controller RCE escalation

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerkubernetes
Produkt ingress-nginx
Default Statusunaffected
Version <= 1.11.4
Version 0
Status affected
Version 1.12.0
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.1% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
jordan@liggitt.net 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-653 Improper Isolation or Compartmentalization

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
09.08.2025 11:36
https://https://github.com/kubernetes/kubernetes/issues/131009
https://security.netapp.com/advisory/ntap-20250328-0008/
https://github.com/B1ack4sh/Blackash-CVE-2025-1974
https://www.exploit-db.com/exploits/52475