CVE-2025-1097 Affecting ingress-nginx-controller-1.10 package, versions <1.10.6-r15
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-INGRESSNGINXCONTROLLER110-9519361
- published26 Mar 2025
- disclosed25 Mar 2025
Introduced: 25 Mar 2025
NewCVE-2025-1097 (opens in a new tab)How to fix?
Upgrade Chainguard ingress-nginx-controller-1.10 to version 1.10.6-r15 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ingress-nginx-controller-1.10 package and not the ingress-nginx-controller-1.10 package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the auth-tls-match-cn Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)