A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
The vulnerability is patched in ingress-nginx versions 0.49.1, 1.0.1, and later, but can also be mitigated by restricting the .metadata.annotations field on networking.k8s.io/Ingress resource.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-25742
https://github.com/kubernetes/ingress-nginx/issues/7837