CVE-2022-4886

HIGH

ingress-nginx <1.8.0 - path Sanitization Bypass via log_format Directive

Title source: manual

Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.

Core 4

Core References

Mailing List, Third Party Advisory

Vendor Advisory

Mitigation, Vendor Advisory issue-tracking

Mailing List, Mitigation mailing-list

CVSS v3 8.8

EPSS 0.0157

EPSS Percentile 72.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

CWE

CWE-20

Status published

Products (2)

k8s.io/ingress-nginx 0 - 1.8.0Go

kubernetes/ingress-nginx < 1.8.0

Published Oct 25, 2023

Tracked Since Feb 18, 2026