April 4, 2025
This release (1.23.1-H2) of the Cloudera Data Engineering service on Cloudera on cloud introduces the following changes.
This release does not contain new features, but includes the following fix:
DEX-16625: Nginx-ingress update to mitigate CVEs
-
- CVE-2025-24513 (CVSS score: 4.8)
- An improper input validation vulnerability that could result in directory traversal within the container, leading to denial-of-service (DoS) or limited disclosure of secret objects from the cluster when combined with other vulnerabilities
-
- CVE-2025-24514 (CVSS score: 8.8)
- The auth-url Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
-
- CVE-2025-1097 (CVSS score: 8.8)
- The auth-tls-match-cn Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
-
- CVE-2025-1098 (CVSS score: 8.8)
- The mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
-
- CVE-2025-1974 (CVSS score: 9.8)
- An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions
