Hello Kubernetes Community,
A security vulnerability was discovered in Kubernetes that could allow a user with the ability to create a pod and associate a gitRepo volume to execute arbitrary commands beyond the container boundary. This vulnerability leverages the hooks folder in the target repository to run arbitrary commands outside of the container's boundary.
Please note that this issue was originally publicly disclosed with a fix in July (#124531), and we are retroactively assigning it a CVE to assist in awareness and tracking.
This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) (score: 8.1), and assigned CVE-2024-10220.
This CVE affects Kubernetes clusters where pods use the in-tree gitRepo volume to clone a repository to a subdirectory. If the Kubernetes cluster is running one of the affected versions listed below, then it is vulnerable to this issue.
kubelet v1.30.0 to v1.30.2
kubelet v1.29.0 to v1.29.6
kubelet <= v1.28.11
kubelet v1.31.0
kubelet v1.30.3
kubelet v1.29.7
kubelet v1.28.12
To detect whether this vulnerability has been exploited, you can use the following command to list all pods that use the in-tree gitRepo volume and clones to a .git subdirectory.
kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.volumes[].gitRepo.directory | endswith("/.git")) | {name: .metadata.name, namespace: .metadata.namespace}
If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/128885
This vulnerability was reported and mitigated by Imre Rad.
Thank You,
Craig Ingram on behalf of the Kubernetes Security Response Committee
Hello!
INC3249969 ([Security Advisory] CVE-2024-10220: Arbitrary command execution through gitRepo volume) has been updated.
Opened for: distributo...@kubernetes.io
Followers: kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io
Abhishek Raj updated your request with the following comments:
How can I track and update my request?
To respond, reply to this email. You may also create a new email and include the request number (INC3249969) in the subject.
Thank you,
Product Security