Hello Kubernetes Community,
A security vulnerability was discovered in Kubernetes that could allow a user with the ability to create a pod and associate a gitRepo volume to execute arbitrary commands beyond the container boundary. This vulnerability leverages the hooks folder in the target repository to run arbitrary commands outside of the container's boundary.
Please note that this issue was originally publicly disclosed with a fix in July (#124531), and we are retroactively assigning it a CVE to assist in awareness and tracking.
This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) (score: 8.1), and assigned CVE-2024-10220.
This CVE affects Kubernetes clusters where pods use the in-tree gitRepo volume to clone a repository to a subdirectory. If the Kubernetes cluster is running one of the affected versions listed below, then it is vulnerable to this issue.
kubelet v1.30.0 to v1.30.2
kubelet v1.29.0 to v1.29.6
kubelet <= v1.28.11
kubelet v1.31.0
kubelet v1.30.3
kubelet v1.29.7
kubelet v1.28.12
To detect whether this vulnerability has been exploited, you can use the following command to list all pods that use the in-tree gitRepo volume and clones to a .git subdirectory.
kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.volumes[].gitRepo.directory | endswith("/.git")) | {name: .metadata.name, namespace: .metadata.namespace}
If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/128885
This vulnerability was reported and mitigated by Imre Rad.
Thank You,
Craig Ingram on behalf of the Kubernetes Security Response Committee