BLOG | NGINX

Which NGINX Ingress Controllers Are Impacted by CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044?

NGINX-Part-of-F5-horiz-black-type-RGB
Ilya Krutov Thumbnail
Ilya Krutov
Published November 03, 2023

On October 25, 2023, three CVEs were reported by the National Institute of Standards and Technology (NIST) that affected NGINX Ingress Controller for Kubernetes:

  • CVE-2022-4886 – ingress-nginx path sanitization can be bypassed with log_format directive.
  • CVE-2023-5043 – ingress-nginx annotation injection causes arbitrary command execution.
  • CVE-2023-5044 – Code injection occurs via nginx.ingress.kubernetes.io/permanent-redirect annotation.

That report and subsequent publications (such as Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes) caused some confusion (and a number of support inquiries) pertaining to which NGINX Ingress controllers are actually affected and who should be concerned about addressing vulnerabilities described by these CVEs.

The confusion is totally understandable – did you know that there is more than one Ingress controller based on NGINX? To start, there are two completely different projects named “NGINX Ingress Controller”:

There are also other Ingress controllers based on NGINX, such as Kong. Fortunately, their names are easily distinguished. If you’re not sure which one you’re using, check the container image of the running Ingress controller, then compare the Docker image name with the repos listed above.

The vulnerabilities (CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044) described above only apply to the community project (kubernetes/ingress-nginx). NGINX projects for NGINX Ingress Controller (nginxinc/kubernetes-ingress, both open source and commercial) are not affected by these CVEs.

For more information about the differences between NGINX Ingress Controller and Ingress controller projects, read our blog A Guide to Choosing an Ingress Controller, Part 4: NGINX Ingress Controller Options.


"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."