[Security Advisory] CVE-2024-10220: Arbitrary command execution through gitRepo volume

Security_k8s.io · November 20, 2024, 3:32pm

Hello Kubernetes Community,

A security vulnerability was discovered in Kubernetes that could allow a user with the ability to create a pod and associate a gitRepo volume to execute arbitrary commands beyond the container boundary. This vulnerability leverages the hooks folder in the target repository to run arbitrary commands outside of the container’s boundary.

Please note that this issue was originally publicly disclosed with a fix in July (#124531), and we are retroactively assigning it a CVE to assist in awareness and tracking.

This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) (score: 8.1), and assigned CVE-2024-10220.

Am I vulnerable?

This CVE affects Kubernetes clusters where pods use the in-tree gitRepo volume to clone a repository to a subdirectory. If the Kubernetes cluster is running one of the affected versions listed below, then it is vulnerable to this issue.

Affected Versions

kubelet v1.30.0 to v1.30.2
kubelet v1.29.0 to v1.29.6
kubelet <= v1.28.11

How do I mitigate this vulnerability?To mitigate this vulnerability, you must upgrade your Kubernetes cluster to one of the fixed versions listed below. Additionally, since the gitRepo volume has been deprecated, the recommended solution is to perform the Git clone operation using an init container and then mount the directory into the Pod’s container. An example of this approach is provided here.Fixed Versions

kubelet v1.31.0
kubelet v1.30.3
kubelet v1.29.7
kubelet v1.28.12

Detection

To detect whether this vulnerability has been exploited, you can use the following command to list all pods that use the in-tree gitRepo volume and clones to a .git subdirectory.

kubectl get pods --all-namespaces -o json | jq '.items | select(.spec.volumes.gitRepo.directory | endswith(“/.git”)) | {name: .metadata.name, namespace: .metadata.namespace}

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/128885

Acknowledgements

This vulnerability was reported and mitigated by Imre Rad.

Thank You,

Craig Ingram on behalf of the Kubernetes Security Response Committee

Topic	Replies	Views
[Security Advisory] CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation Announcements	5204	August 23, 2023
[Security Advisory] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Announcements	1425	November 14, 2023
[Security Advisory] CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation Announcements	1954	August 23, 2023
[Security Advisory] CVE-2024-5321: Incorrect permissions on Windows containers logs Announcements	145	July 17, 2024
[ANNOUNCE] CVE-2019-11253: denial of service vulnerability from malicious YAML or JSON payloads Announcements cve	3873	October 16, 2019

[Security Advisory] CVE-2024-10220: Arbitrary command execution through gitRepo volume

Related topics