CVE-2025-24513
CVE Details
Visit the official vulnerability details page for CVE-2025-24513 to learn more.
Initial Publication
03/25/2025
Last Update
03/28/2025
This CVE does not have a third party dependency.
NIST CVE Summary
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.
CVE Severity
Our Official Summary
This high priority CVE reported on nginx ingress controller affects both Paltte & Vertex deployments. Workload clusters using nginx-controller versions v1.11.0, v1.11.0 - 1.11.4, v1.12.0 are also vulnerable. Attackers with access to the pod network can use remote code execution to dump confidential information such as secrets in the affected clusters, if this CVE is chained with other vulnerabilities. Ingress controller version should be updated to 1.11.5 or 1.12.1 to fix the vulnerabilities. Palette, VerteX Saas deployments and the managed dedicated Palette deployments are patched. For a more detailed desciption, timeline and remediation steps: https://docs.spectrocloud.com/security-bulletins/security-advisories.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.6.18 | ✅ No Impact | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted |
| 4.6.12 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.6.8 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.6.7 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.6.6 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.22 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.21 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.20 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.15 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.11 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.10 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.4.20 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 03/28/2025 | Official summary revised: This high priority CVE reported on nginx ingress controller affects both Paltte & Vertex deployments. Workload clusters using nginx-controller versions v1.11.0, v1.11.0 - 1.11.4, v1.12.0 are also vulnerable. Attackers with access to the pod network can use remote code execution to dump confidential information such as secrets in the affected clusters, if this CVE is chained with other vulnerabilities. Ingress controller version should be updated to 1.11.5 or 1.12.1 to fix the vulnerabilities. Palette, VerteX Saas deployments and the managed dedicated Palette deployments are patched. For a more detailed desciption, timeline and remediation steps: https://docs.spectrocloud.com/security-bulletins/security-advisories. |
| 03/28/2025 | Official summary revised: This high priority CVE reported on nginx ingress controller affects both Paltte & Vertex deployments. Workload clusters using nginx-controller versions v1.11.0, v1.11.0 - 1.11.4, v1.12.0 are also vulnerable. Attacker can use remote code execution to dump confidential information such as secrets in the affected clusters, if this CVE is chained with other vulnerabilities. Ingress controller version should be updated to 1.11.5 or 1.12.1 to fix the vulnerabilities. Palette, VerteX Saas deployments and the managed dedicated Palette deployments are patched. For a more detailed desciption, timeline and remediation steps: https://docs.spectrocloud.com/security-bulletins/security-advisories. |
| 03/27/2025 | Official summary revised: This high CVE enables injecting arbitrary configuration into NGINX which can lead to arbitrary code execution or denial of service. This vulnerability has to be chained with others to exploit. Workload clusters using nginx-controller versions v1.11.0, v1.11.0 - 1.11.4, v1.12.0 are also vulnerable. Attacker can dump secrets from the cluster using the remote code execution. Ingress controller version should be updated to 1.11.5 or 1.12.1 to fix the vulnerabilities. For a more detailed desciption, timeline and remediation steps: https://docs.spectrocloud.com/security-bulletins/security-advisories |
| 03/27/2025 | Official summary revised: This high CVE enables injecting arbitrary configuration into NGINX which can lead to arbitrary code execution or denial of service. This vulnerability has to be chained with others to exploit. Workload clusters using nginx-controller versions v1.11.0, v1.11.0 - 1.11.4, v1.12.0 are also vulnerable. Attacker can dump secrets from the cluster using the remote code execution. Ingress controller version should be updated to 1.11.5 or 1.12.1 to fix the vulnerabilities. |