CVE-2025-1097 The advisory has been revoked - it doesn't affect any version of package ingress-nginx-controller-fips-1.10 (opens in a new tab)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-INGRESSNGINXCONTROLLERFIPS110-9519369
- published26 Mar 2025
- disclosed25 Mar 2025
Introduced: 25 Mar 2025
NewCVE-2025-1097 (opens in a new tab)Amendment
The Chainguard security team deemed this advisory irrelevant for Chainguard:latest.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ingress-nginx-controller-fips-1.10 package and not the ingress-nginx-controller-fips-1.10 package as distributed by Chainguard.
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the auth-tls-match-cn Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)