Skip to content

CVE-2024-10220: Arbitrary command execution through gitRepo volume #128885

New issue
New issue
Closed
Closed
CVE-2024-10220: Arbitrary command execution through gitRepo volume#128885
Labels
area/kubeletarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/nodeCategorizes an issue or PR as relevant to SIG Node.
@cji

Description

@cji
cji
opened on Nov 20, 2024

A security vulnerability was discovered in Kubernetes that could allow a user with the ability to create a pod and associate a gitRepo volume to execute arbitrary commands beyond the container boundary. This vulnerability leverages the hooks folder in the target repository to run arbitrary commands outside of the container's boundary.

Please note that this issue was originally publicly disclosed with a fix in July (#124531), and we are retroactively assigning it a CVE to assist in awareness and tracking.

This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) (score: 8.1), and assigned CVE-2024-10220.

Am I vulnerable?

This CVE affects Kubernetes clusters where pods use the in-tree gitRepo volume to clone a repository to a subdirectory. If the Kubernetes cluster is running one of the affected versions listed below, then it is vulnerable to this issue.

Affected Versions

  • kubelet v1.30.0 to v1.30.2
  • kubelet v1.29.0 to v1.29.6
  • kubelet <= v1.28.11

How do I mitigate this vulnerability?

To mitigate this vulnerability, you must upgrade your Kubernetes cluster to one of the fixed versions listed below.

Additionally, since the gitRepo volume has been deprecated, the recommended solution is to perform the Git clone operation using an init container and then mount the directory into the Pod's container. An example of this approach is provided here.

Fixed Versions

Detection

To detect whether this vulnerability has been exploited, you can use the following command to list all pods that use the in-tree gitRepo volume and clones to a .git subdirectory.

kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.volumes[].gitRepo.directory | endswith("/.git")) | {name: .metadata.name, namespace: .metadata.namespace}

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Acknowledgements

This vulnerability was reported and mitigated by Imre Rad.

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig node
/area kubelet

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/kubeletarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/nodeCategorizes an issue or PR as relevant to SIG Node.

    Type

    No type

    Projects

    SIG Node Bugs

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions