CVE-2024-7646
Published: 16 August 2024
Summary
CVE-2024-7646 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-7646 affects the ingress-nginx controller for Kubernetes. The flaw allows an authenticated user who can create Ingress resources in the networking.k8s.io or extensions API groups to bypass annotation validation checks, resulting in arbitrary command injection that yields the ingress-nginx controller's service account token.
An attacker with those minimal permissions can therefore retrieve the controller credential, which by default is granted read access to every secret across the cluster. Successful exploitation grants broad cluster-level data access without requiring any other privileges or user interaction.
Public references point to fixes merged in ingress-nginx pull requests 11719 and 11721, accompanied by a Kubernetes security announcement and an oss-security disclosure that describe the required configuration and upgrade steps.
The associated EPSS score reached a peak of 0.2576 before receding to its current value of 0.2218, indicating modest post-disclosure interest that has since declined.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48533
Vulnerability details
A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In…
more
the default configuration, that credential has access to all secrets in the cluster.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.