Advisories for Golang/Github.com/Kong/Kubernetes-Ingress-Controller package

A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exposure of sensitive plugin credentials through the diagnostics interface. Even when configured to redact sensitive information (using –dump-sensitive-config=false), KIC fails to sanitize the Plugins field in diagnostic configuration dumps. This causes secrets referenced via configFrom.secretKeyRef to be resolved and displayed in plaintext. Because the diagnostics HTTP endpoints require no authentication, any process within the cluster network capable of …

A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exposure of sensitive plugin credentials through the diagnostics interface. Even when configured to redact sensitive information (using –dump-sensitive-config=false), KIC fails to sanitize the Plugins field in diagnostic configuration dumps. This causes secrets referenced via configFrom.secretKeyRef to be resolved and displayed in plaintext. Because the diagnostics HTTP endpoints require no authentication, any process within the cluster network capable of …

A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exposure of sensitive plugin credentials through the diagnostics interface. Even when configured to redact sensitive information (using –dump-sensitive-config=false), KIC fails to sanitize the Plugins field in diagnostic configuration dumps. This causes secrets referenced via configFrom.secretKeyRef to be resolved and displayed in plaintext. Because the diagnostics HTTP endpoints require no authentication, any process within the cluster network capable of …

A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exfiltration of TLS certificates and private keys across Kubernetes namespace boundaries. In "managed" mode (where the GatewayClass lacks an unmanaged annotation), the Gateway TLS translator skips critical status checks. This bypass allows the translator to fetch Secrets from any namespace KIC watches, even when a ReferenceGrant explicitly denies access or is missing. An actor with RBAC permissions to …

A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exfiltration of TLS certificates and private keys across Kubernetes namespace boundaries. In "managed" mode (where the GatewayClass lacks an unmanaged annotation), the Gateway TLS translator skips critical status checks. This bypass allows the translator to fetch Secrets from any namespace KIC watches, even when a ReferenceGrant explicitly denies access or is missing. An actor with RBAC permissions to …

A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exfiltration of TLS certificates and private keys across Kubernetes namespace boundaries. In "managed" mode (where the GatewayClass lacks an unmanaged annotation), the Gateway TLS translator skips critical status checks. This bypass allows the translator to fetch Secrets from any namespace KIC watches, even when a ReferenceGrant explicitly denies access or is missing. An actor with RBAC permissions to …