GHSA-242m-6h72-7hgp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-242m-6h72-7hgp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-242m-6h72-7hgp/GHSA-242m-6h72-7hgp.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-242m-6h72-7hgp
- Aliases
-
- BIT-nginx-ingress-controller-2025-24513
- CVE-2025-24513
- GO-2025-3564
- Related
- Published
- 2025-03-25T00:30:26Z
- Modified
- 2025-03-26T08:26:56.830890Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L CVSS Calculator
- Summary
- ingress-nginx controller - auth secret file path traversal vulnerability
- Details
-
A security issue was discovered in ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.
- Database specific
{ "nvd_published_at": "2025-03-25T00:15:14Z", "cwe_ids": [ "CWE-20", "CWE-22" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-25T15:10:08Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-24513
- https://github.com/kubernetes/kubernetes/issues/131005
- https://github.com/kubernetes/ingress-nginx
- https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
- https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
- https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ
Affected packages
Go / k8s.io/ingress-nginx
Package
- Name
- k8s.io/ingress-nginx
- View open source insights on deps.dev
- Purl
- pkg:golang/k8s.io/ingress-nginx
Go / k8s.io/ingress-nginx
Package
- Name
- k8s.io/ingress-nginx
- View open source insights on deps.dev
- Purl
- pkg:golang/k8s.io/ingress-nginx