The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
History

Mon, 25 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Kubernetes
Kubernetes kubelet
CPEs cpe:2.3:a:kubernetes:kubelet:*:*:*:*:*:*:*:*
Vendors & Products Kubernetes
Kubernetes kubelet
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 22 Nov 2024 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 22 Nov 2024 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in the Kubelet component from the Kubernetes package. This flaw allows an attacker to create a pod and an associated gitRepo volume to execute arbitrary commands outside the container, bypassing the intended isolation between the container and the host. The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
Title kubernetes: Arbitrary command execution through gitRepo volume Arbitrary command execution through gitRepo volume
Weaknesses CWE-22
References

Fri, 22 Nov 2024 14:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in the Kubelet component from the Kubernetes package. This flaw allows an attacker to create a pod and an associated gitRepo volume to execute arbitrary commands outside the container, bypassing the intended isolation between the container and the host.
Title kubernetes: Arbitrary command execution through gitRepo volume
Weaknesses CWE-653
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important


cve-icon MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2024-11-22T16:23:00.535Z

Updated: 2024-11-25T18:22:59.457Z

Reserved: 2024-10-21T18:56:00.535Z

Link: CVE-2024-10220

cve-icon Vulnrichment

Updated: 2024-11-22T17:02:54.798Z

cve-icon NVD

Status : Received

Published: 2024-11-22T17:15:06.650

Modified: 2024-11-22T17:15:06.650

Link: CVE-2024-10220

cve-icon Redhat

Severity : Important

Publid Date: 2024-11-08T16:00:00Z

Links: CVE-2024-10220 - Bugzilla