CVE-2022-4886: 
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation

A security issue was discovered in ingress-nginx (CVE-2022-4886) where users with permissions to create or update ingress objects can bypass the sanitization of the spec.rules[].http.paths[].path field of an Ingress object to obtain the credentials of the ingress-nginx controller. The vulnerability was reported by Ginoah from the DEVCORE Internship Program and was disclosed on October 25, 2023 (Kubernetes Advisory).

The vulnerability affects the path sanitization mechanism in ingress-nginx versions prior to v1.8.0. It specifically involves the ability to bypass sanitization controls using the log_format directive in the networking.k8s.io or extensions API group. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (OSS Security).

In the default configuration, successful exploitation of this vulnerability allows attackers to obtain the credentials of the ingress-nginx controller, which has access to all secrets in the cluster. Multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue (Kubernetes Advisory).

Users can verify if they are affected by running kubectl get po -n ingress-nginx to check if ingress-nginx is installed on their cluster. The vulnerability has been fixed in ingress-nginx version 1.8.0 and later. Users running earlier versions should upgrade to the patched version (Github Issue).