CVE-2021-25742 in Kubernetes and NetApp Products
Published on October 29, 2021

Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.

NVD

Vulnerability Analysis

CVE-2021-25742 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

LOW

Availability Impact:

LOW

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Products Associated with CVE-2021-25742

stack.watch emails you whenever new vulnerabilities are published in Kubernetes Ingress Nginx or NetApp Trident. Just hit a watch button to start following.

Kubernetes Ingress Nginx

NetApp Trident

Affected Versions

Kubernetes ingress-nginx:

Version unspecified, <= 0.49.0 is affected.
Version next of 0.49.0 and below unspecified is unknown.
Version unspecified, <= 1.0.0 is affected.
Version next of 1.0.0 and below unspecified is unknown.

Exploit Probability

EPSS

0.61%

Percentile

69.43%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.