First published: Tue Sep 25 2018(Updated: )
Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.
Credit: jordan@liggitt.net jordan@liggitt.net
Affected Software | Affected Version | How to fix |
---|---|---|
go/k8s.io/ingress-nginx | <1.5 | 1.5 |
Kubernetes Nginx Ingress Controller | <1.5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-1002104 is a vulnerability in versions < 1.5 of the Kubernetes ingress default backend which exposes prometheus metrics publicly.
CVE-2018-1002104 has a severity value of 5.3 (medium).
Versions < 1.5 of the Kubernetes ingress default backend, as well as Kubernetes Nginx Ingress Controller up to version 1.5.0, are affected by CVE-2018-1002104.
To fix CVE-2018-1002104, update your Kubernetes ingress default backend or Kubernetes Nginx Ingress Controller to version 1.5 or above.
You can find more information about CVE-2018-1002104 on the NIST National Vulnerability Database (NVD) website: https://nvd.nist.gov/vuln/detail/CVE-2018-1002104