CVE-2023-5043 Overview
CVE-2023-5043 is a command injection vulnerability affecting Kubernetes Ingress-nginx that allows attackers to execute arbitrary commands through malicious annotation injection. This vulnerability stems from improper input validation in how the Ingress-nginx controller processes user-supplied annotations, enabling authenticated attackers with the ability to create or modify Ingress resources to inject and execute arbitrary commands on the underlying system.
Critical Impact
Authenticated attackers can achieve arbitrary command execution on Kubernetes clusters running vulnerable Ingress-nginx controllers, potentially compromising the entire cluster infrastructure.
Affected Products
- Kubernetes Ingress-nginx (all vulnerable versions prior to patch)
Discovery Timeline
- 2023-10-25 - CVE-2023-5043 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-5043
Vulnerability Analysis
This vulnerability falls under CWE-20 (Improper Input Validation) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The Ingress-nginx controller processes annotations defined in Kubernetes Ingress resources to configure the underlying nginx web server. When these annotations are not properly sanitized, an attacker can craft malicious annotation values that escape the intended context and inject arbitrary commands.
The attack requires network access and low-privilege authentication—specifically, the attacker needs permissions to create or modify Ingress resources within the Kubernetes cluster. Once exploited, the vulnerability can result in complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause lies in insufficient input validation and sanitization of user-controlled annotation values before they are processed by the Ingress-nginx controller. The controller trusts annotation content and incorporates it into nginx configuration or executes it in contexts where special characters can break out of the intended processing flow, leading to command injection.
Attack Vector
The attack is conducted over the network by an authenticated user with permissions to manipulate Ingress resources. The attacker crafts an Ingress manifest with maliciously crafted annotations containing command injection payloads. When the Ingress-nginx controller processes this resource, the injected commands are executed with the privileges of the controller process.
The exploitation mechanism involves inserting shell metacharacters or command separators within annotation values that are later processed without proper escaping. This allows the attacker to append or inject arbitrary commands that execute in the context of the nginx controller, potentially granting access to secrets, service accounts, and other cluster resources.
Detection Methods for CVE-2023-5043
Indicators of Compromise
- Unexpected or malformed annotations on Ingress resources containing shell metacharacters (;, |, $(), backticks)
- Unusual process execution from the ingress-nginx controller pods
- Kubernetes audit logs showing creation or modification of Ingress resources with suspicious annotation content
- Network connections from ingress-nginx pods to unexpected external destinations
Detection Strategies
- Enable and review Kubernetes audit logging for Ingress resource creation and modification events
- Implement admission controllers or OPA/Gatekeeper policies to validate and restrict annotation content
- Monitor ingress-nginx controller logs for configuration errors or unusual processing patterns
- Deploy runtime security monitoring on ingress-nginx pods to detect unexpected process execution
Monitoring Recommendations
- Configure alerting on Ingress resource modifications in production namespaces
- Implement network policy monitoring for egress connections from ingress-nginx pods
- Review ingress-nginx controller pod resource utilization for anomalies indicating exploitation
- Utilize SentinelOne Kubernetes Workload Protection to detect and alert on suspicious container behavior
How to Mitigate CVE-2023-5043
Immediate Actions Required
- Update Kubernetes Ingress-nginx to the latest patched version immediately
- Audit existing Ingress resources for suspicious or unexpected annotations
- Implement RBAC policies to restrict which users and service accounts can create or modify Ingress resources
- Deploy admission control policies to validate annotation content before acceptance
Patch Information
Kubernetes has addressed this vulnerability in updated versions of the Ingress-nginx controller. Organizations should consult the GitHub Ingress-NGINX Issue and the Kubernetes Security Announcement for specific version information and patch details. Additional guidance is available from the Openwall OSS Security Update and the NetApp Security Advisory.
Workarounds
- Restrict Ingress resource creation permissions using Kubernetes RBAC to only trusted administrators
- Implement OPA Gatekeeper or Kyverno policies to block Ingress resources with annotations containing dangerous characters
- Consider network segmentation to limit the blast radius if the ingress-nginx controller is compromised
- Enable read-only root filesystem for ingress-nginx pods to limit post-exploitation impact
# Example: Restrict Ingress creation with RBAC
# Create a ClusterRole that denies Ingress modification for untrusted users
kubectl create clusterrole ingress-readonly \
--verb=get,list,watch \
--resource=ingresses.networking.k8s.io
# Bind to service accounts that should not create/modify Ingress
kubectl create clusterrolebinding restrict-ingress \
--clusterrole=ingress-readonly \
--serviceaccount=default:restricted-sa
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
