Arbitrary command execution in Kubernetes kubelet
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-10220 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Kubelet Web applications / Modules and components for CMS |
| Vendor | Kubernetes |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU101778
Risk: Medium
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2024-10220
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to an error when handling gitRepo volumes. A remote user with the ability to create a pod and associate a gitRepo volume can execute arbitrary commands beyond the container boundary.
MitigationInstall updates from vendor's website.
Vulnerable software versionsKubelet: 1.28.0 - 1.30.2
CPE2.3- cpe:2.3:a:kubernetes:kubelet:1.29.6:*:*:*:*:kubernetes:*:*
- cpe:2.3:a:kubernetes:kubelet:1.30.2:*:*:*:*:kubernetes:*:*
http://www.openwall.com/lists/oss-security/2024/11/20/1
http://github.com/kubernetes/kubernetes/issues/128885
http://groups.google.com/g/kubernetes-security-announce/c/ptNgV5Necko
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
