Описание
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
A flaw was found in the Kubelet component from the Kubernetes package. This flaw allows an attacker to create a pod and an associated gitRepo volume to execute arbitrary commands outside the container, bypassing the intended isolation between the container and the host.
Отчет
This vulnerability is classified as important severity due to its potential to allow arbitrary command execution beyond the container boundary, which can lead to severe security breaches. By leveraging the hooks folder in the target repository associated with the gitRepo volume, an attacker can execute commands on the host system or other pods within the cluster. This can result in unauthorized access, data exfiltration, or privilege escalation, making it far more impactful than a moderate vulnerability.
Меры по смягчению последствий
Users can restrict the usage of gitRepo volumes in their cluster using policies such as ValidatingAdmissionPolicy.
The following CEL expression can be used as part of the policy to restrict the use of gitRepo volumes:
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | ansible-tower | Will not fix | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel8 | Affected | ||
| Red Hat Ansible Automation Platform 2 | automation-controller | Will not fix | ||
| Red Hat Discovery | discovery-server-container | Not affected | ||
| Red Hat Enterprise Linux 9 | fence-agents | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/cnf-tests-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-ansible-operator | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ztp-site-generate-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
The Kubernetes kubelet component allows arbitrary command execution vi ...
EPSS
8.1 High
CVSS3