A security issue was discovered in ingress-nginx versions older than v0.28.0. The issue is of medium severity, and upgrading is encouraged to fix the vulnerability.

Am I vulnerable?

The vulnerability exists only if the annotation nginx.ingress.kubernetes.io/auth-type: basic is used.

How do I upgrade?

Follow installation instructions here

Vulnerability Details

A vulnerability has been discovered where a malicious user could create a new Ingress definition resulting in the replacement of the password file. The vulnerability requires that the victim namespace and/or secret use a hyphen in the name.

This scenario requires privileges in the cluster to create and read ingresses and also create secrets.

This issue is filed as CVE-2020-8553.

/close