diff --git a/cve-mitigation/cve-2024-7646/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/cve-mitigation/cve-2024-7646/.chainsaw-test/chainsaw-step-01-assert-1.yaml
new file mode 100644
index 00000000..c31a3815
--- /dev/null
+++ b/cve-mitigation/cve-2024-7646/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: validate-nginx-ingress-controller
+status:
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/cve-mitigation/cve-2024-7646/.chainsaw-test/chainsaw-test.yaml b/cve-mitigation/cve-2024-7646/.chainsaw-test/chainsaw-test.yaml
new file mode 100644
index 00000000..5aa20f08
--- /dev/null
+++ b/cve-mitigation/cve-2024-7646/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,38 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+ creationTimestamp: null
+ name: validate-nginx-ingress-controller
+spec:
+ steps:
+ - name: step-01
+ try:
+ - apply:
+ file: ../validate-nginx-ingress-controller.yaml
+ - patch:
+ resource:
+ apiVersion: kyverno.io/v1
+ kind: ClusterPolicy
+ metadata:
+ name: validate-nginx-ingress-controller
+ spec:
+ validationFailureAction: Enforce
+ - assert:
+ file: chainsaw-step-01-assert-1.yaml
+ - name: step-02
+ try:
+ - apply:
+ file: pod-good.yaml
+ - apply:
+ expect:
+ - check:
+ ($error != null): true
+ file: pod-bad.yaml
+ - apply:
+ file: podcontroller-good.yaml
+ - apply:
+ expect:
+ - check:
+ ($error != null): true
+ file: podcontroller-bad.yaml
\ No newline at end of file
diff --git a/cve-mitigation/cve-2024-7646/.chainsaw-test/pod-bad.yaml b/cve-mitigation/cve-2024-7646/.chainsaw-test/pod-bad.yaml
new file mode 100644
index 00000000..2cc74ed2
--- /dev/null
+++ b/cve-mitigation/cve-2024-7646/.chainsaw-test/pod-bad.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: badpod01-new
+ annotations:
+ nginx.ingress.kubernetes.io/server-snippet: |
+ add_header X-Safe-Header "Safe Content";
+ add_header X-Vuln-Header "Benign\r
+ HTTP/1.1 200 OK
+ Content-Type: text/html
+
+
+ --------";
+ return 200 "Original Content";
+spec:
+ containers:
+ - name: nginx-controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.11.3
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: badpod02-new
+spec:
+ containers:
+ - name: nginx-controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.11.1
+ - name: nginx-controller-1
+ image: registry.k8s.io/ingress-nginx/controller:v1.10.9
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ name: badpod03-new
+ annotations:
+ nginx.ingress.kubernetes.io/auth-tls-verify-client: "skip"
+spec:
+ containers:
+ - name: nginx-controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.11.3
diff --git a/cve-mitigation/cve-2024-7646/.chainsaw-test/pod-good.yaml b/cve-mitigation/cve-2024-7646/.chainsaw-test/pod-good.yaml
new file mode 100644
index 00000000..5862ed06
--- /dev/null
+++ b/cve-mitigation/cve-2024-7646/.chainsaw-test/pod-good.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: goodpod01-new
+ annotations:
+ nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+spec:
+ containers:
+ - name: nginx-controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.11.3
diff --git a/cve-mitigation/cve-2024-7646/.chainsaw-test/podcontroller-bad.yaml b/cve-mitigation/cve-2024-7646/.chainsaw-test/podcontroller-bad.yaml
new file mode 100644
index 00000000..66b9a343
--- /dev/null
+++ b/cve-mitigation/cve-2024-7646/.chainsaw-test/podcontroller-bad.yaml
@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: baddeployment01-new
+ annotations:
+ nginx.ingress.kubernetes.io/server-snippet: |
+ add_header X-Safe-Header "Safe Content";
+ add_header X-Vuln-Header "Benign\r
+ HTTP/1.1 200 OK
+ Content-Type: text/html
+
+
+ --------";
+ return 200 "Original Content";
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: nginx-controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.11.3
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: baddeployment02-new
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: nginx-controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.10.8
+ - name: nginx-controller-1
+ image: registry.k8s.io/ingress-nginx/controller:v1.9.8
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: baddeployment03-new
+ annotations:
+ nginx.ingress.kubernetes.io/auth-tls-verify-client: "skip"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: nginx-controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.11.5
diff --git a/cve-mitigation/cve-2024-7646/.chainsaw-test/podcontroller-good.yaml b/cve-mitigation/cve-2024-7646/.chainsaw-test/podcontroller-good.yaml
new file mode 100644
index 00000000..076011ff
--- /dev/null
+++ b/cve-mitigation/cve-2024-7646/.chainsaw-test/podcontroller-good.yaml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: gooddeployment01-new
+ annotations:
+ nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: nginx-controller
+ image: registry.k8s.io/ingress-nginx/controller:v1.11.3
+ - name: nginx-controller-1
+ image: registry.k8s.io/ingress-nginx/controller:v1.11.4
diff --git a/cve-mitigation/cve-2024-7646/README.md b/cve-mitigation/cve-2024-7646/README.md
new file mode 100644
index 00000000..72c50c26
--- /dev/null
+++ b/cve-mitigation/cve-2024-7646/README.md
@@ -0,0 +1,7 @@
+A new Kubernetes vulnerability, [CVE-2024-7646](https://nvd.nist.gov/vuln/detail/CVE-2024-7646), has recently been identified and demands urgent attention from security professionals and DevOps teams. This vulnerability severely threatens the security of systems using the widely adopted ingress-nginx controller, potentially allowing attackers to bypass annotation validation and gain unauthorized access to critical cluster resources.
+
+To resolve the CVE-2024-7646 vulnerability in Kubernetes environments using ingress-nginx, it’s critical to take immediate steps:
+
+1. Upgrade Ingress-NGINX: The most effective measure is to upgrade ingress-nginx to version 1.11.2 or higher. This version contains the necessary security patches to mitigate the vulnerability, preventing attackers from exploiting the annotation validation bypass.
+1. Restrict Annotations: Explicitly disallow the nginx.ingress.kubernetes.io/server-snippet annotation to further safeguard your system. This step ensures that no unauthorized or potentially malicious configurations can be injected.
+1. Enforce TLS Client Verification: Set the auth-tls-verify-client annotation to either ‘on,’ ‘off,’ ‘optional,’ or ‘optional_no_ca’ values. This enforces stricter control over TLS client authentication, reducing the attack surface by ensuring that only correctly authenticated clients can interact with your services.
diff --git a/cve-mitigation/cve-2024-7646/validate-nginx-ingress-controller.yaml b/cve-mitigation/cve-2024-7646/validate-nginx-ingress-controller.yaml
new file mode 100644
index 00000000..60eba029
--- /dev/null
+++ b/cve-mitigation/cve-2024-7646/validate-nginx-ingress-controller.yaml
@@ -0,0 +1,68 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: validate-nginx-ingress-controller
+ annotations:
+ policies.kyverno.io/title: CVE-2024-7646 Nginx Ingress Controller
+ policies.kyverno.io/category: Mitigate CVEs
+ policies.kyverno.io/severity: critical
+ policies.kyverno.io/description: >-
+ A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. (Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-7646)
+spec:
+ validationFailureAction: Enforce
+ background: true
+ rules:
+ - name: validate-ingress-annotations
+ match:
+ resources:
+ kinds:
+ - Ingress
+ validate:
+ message: "The annotation nginx.ingress.kubernetes.io/server-snippet is not allowed."
+ pattern:
+ metadata:
+ annotations:
+ X(*-snippet): "?*"
+ - name: validate-auth-tls-verify-client
+ match:
+ resources:
+ kinds:
+ - Ingress
+ validate:
+ message: "auth-tls-verify-client annotation must be one of 'on', 'off', 'optional', or 'optional_no_ca'."
+ deny:
+ conditions:
+ any:
+ - key: "{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/auth-tls-verify-client\"}}"
+ operator: AnyNotIn
+ value:
+ - "on"
+ - "off"
+ - "optional"
+ - "optional_no_ca"
+
+ - name: deny-lower-ingress-nginx-controller-versions
+ match:
+ resources:
+ kinds:
+ - Pod
+ validate:
+ message: "The ingress-nginx controller image version must be v1.11.2 or greater."
+ deny:
+ conditions:
+ - key: "{{ request.object.spec.containers[?(@.name=='controller')].image }}"
+ operator: AnyIn
+ value:
+ - "registry.k8s.io/ingress-nginx/controller:v1.11.0"
+ - "registry.k8s.io/ingress-nginx/controller:v1.11.1"
+ - "registry.k8s.io/ingress-nginx/controller:v1.10.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.9.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.8.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.7.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.6.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.5.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.4.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.3.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.2.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.1.*"
+ - "registry.k8s.io/ingress-nginx/controller:v1.0.*"
\ No newline at end of file