CVE-2025-24514
CVE Details
Visit the official vulnerability details page for CVE-2025-24514 to learn more.
Initial Publication
03/25/2025
Last Update
05/23/2025
This CVE does not have a third party dependency.
NIST CVE Summary
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
CVE Severity
Our Official Summary
This high priority CVE reported on nginx ingress controller affects both Paltte & Vertex deployments. Workload clusters using nginx-controller versions v1.11.0, v1.11.0 - 1.11.4, v1.12.0 are also vulnerable. Attackers with access to the pod network can use remote code execution to dump confidential information such as secrets in the affected clusters, if this CVE is chained with other vulnerabilities. Ingress controller version should be updated to 1.11.5 or 1.12.1 to fix the vulnerabilities. Palette, VerteX Saas deployments and the managed dedicated Palette deployments are patched. For a more detailed desciption, timeline and remediation steps: https://docs.spectrocloud.com/security-bulletins/security-advisories.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.6.12 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.22 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.4.20 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 05/23/2025 | Advisory severity revised to UNKNOWN from HIGH |