8.8
CVE-2026-4342
- EPSS 1.49%
- Veröffentlicht 19.03.2026 21:50:17
- Zuletzt bearbeitet 19.05.2026 22:16:49
- Quelle jordan@liggitt.net
- CVE-Watchlists
- Unerledigt
ingress-nginx comment-based nginx configuration injection
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Kubernetes ≫ Nginx Ingress Controller Version < 1.13.9
Kubernetes ≫ Nginx Ingress Controller Version >= 1.14.0 < 1.14.5
Kubernetes ≫ Nginx Ingress Controller Version1.15.0
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.49% | 0.708 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| jordan@liggitt.net | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://github.com/kubernetes/kubernetes/issues/137893
http://www.openwall.com/lists/oss-security/2026/03/19/9