Skip to main content
Version: latest

CVE-2025-24514

CVE Details

Visit the official vulnerability details page for CVE-2025-24514 to learn more.

Initial Publication

03/25/2025

Last Update

05/21/2025

This CVE does not have a third party dependency.

NIST CVE Summary

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CVE Severity

undefined

Our Official Summary

This high priority CVE reported on nginx ingress controller affects both Paltte & Vertex deployments. Workload clusters using nginx-controller versions v1.11.0, v1.11.0 - 1.11.4, v1.12.0 are also vulnerable. Attackers with access to the pod network can use remote code execution to dump confidential information such as secrets in the affected clusters, if this CVE is chained with other vulnerabilities. Ingress controller version should be updated to 1.11.5 or 1.12.1 to fix the vulnerabilities. Palette, VerteX Saas deployments and the managed dedicated Palette deployments are patched. For a more detailed desciption, timeline and remediation steps: https://docs.spectrocloud.com/security-bulletins/security-advisories.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.6.12⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.22⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.4.20⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

No revisions available.