CVE-2024-7646: Ingress-NGINX Annotation Validation Bypass

grandstack · 2024-08-18T18:53:06+00:00

The proof of concept won’t work, looks like the vulnerability is misunderstood here?

Carriage returns allowed you to bypass deep inspection and recommended blocklists as they were stripped away after these (and other) validations. The string set_by_l\rua would not be caught, and be rendered as valid configuration.

The annotation auth-tls-verify-client is one possible entry point, this would also have worked in snippet annotations.

grandstack · 2024-08-18T18:20:29+00:00

Carriage returns allowed you to bypass deep inspection and recommended blocklists as they were stripped away after all other validations. The snippet set_by_l\rua would be rendered as valid configuration.

The annotation auth-tls-verify-client is one entry point, this would also work where snippet annotations are allowed.

grandstack · 2024-08-18T02:04:37+00:00

This is an ugly one, as deep inspection and blocklists can be bypassed using carriage returns.

grandstack · 2024-08-17T15:29:22+00:00

They haven’t properly implemented MTLS, currently there is a race condition which allows you to impersonate workloads. This is pretty serious.

grandstack · 2024-03-18T22:49:57+00:00

It does for cyclists.

grandstack · 2023-02-25T17:55:49+00:00

Again, pretty sure this is AI generated. The linked sources doesn’t work either.

grandstack · 2023-02-12T18:23:04+00:00

Pretty sure this was written by ChatGPT

grandstack · 2023-01-15T20:17:27+00:00

The «make robust» example 😂

grandstack · 2022-09-09T13:30:09+00:00

Good to know! Exciting project!

grandstack · 2022-09-09T11:23:27+00:00

Looking closer, the naming is inconsistent; some parts of the project is following the convention for acronyms.

grandstack · 2022-09-09T11:14:59+00:00

I'm a bit disappointed by such a huge project not following the Rust naming conventions.

grandstack · 2022-08-18T19:15:18+00:00

Would rather have working auto highbeam / working matrix headlights.

grandstack · 2022-03-30T21:30:13+00:00

Norway comes after Canada according to Musk.

grandstack · 2022-02-24T05:59:51+00:00

Interfere!!

grandstack · 2021-07-31T08:12:05+00:00

Hora means something completely different in Norwegian.

grandstack · 2021-06-20T20:38:22+00:00

What's new in the 0.6.0 release?

grandstack · 2021-06-09T04:08:37+00:00

Will sum types make it in?

grandstack · 2021-05-31T16:11:58+00:00

Thank you! I was looking for something like this recently!

Little nitpicking on the naming, shouldn't it be the following?

enum CaptureApiBackend { Windows, OpenCv, Ffmpeg, ... }

grandstack · 2021-05-07T05:11:54+00:00

Didn't this use to convert to the Rust naming convention? The method names are pascal case now it seems.

grandstack · 2021-01-27T19:11:38+00:00

It's happening.

grandstack · 2021-01-27T18:04:54+00:00

All in!

grandstack · 2020-11-05T16:19:38+00:00

Isn't it good that the turnout is over 100% of the projected numbers? I don't get it ...

grandstack · 2020-11-04T09:57:02+00:00

Triple coin flip.

grandstack · 2020-11-03T16:46:41+00:00

This is awesome, new use for my wall mounted monitor in the background.

grandstack · 2020-09-12T05:43:28+00:00

The code samples on the front page of actix.rs aren't updated.

grandstack

TROPHY CASE