CVE-2024-10220

Aliases:GHSA-27wf-5967-98gxGO-2024-3286

Advisory lineage Upstream: 0 Downstream: 4

Downstream

DEBIAN-CVE-2024-10220 MGASA-2024-0389 OPENSUSE-SU-2024:14567-1 UBUNTU-CVE-2024-10220

Deferred

Published: 22 Nov 2024, 16:23

Last modified:25 Nov 2024, 18:22

Vulnerability Summary

Overall Risk (default)

medium

40/100

CVSS Score

8.1 HIGH

v3.1 (cve.org)

EPSS Score

39.57% HIGH

40% probability +12.24%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

22 Nov 2024, 16:23

Published

Vulnerability first disclosed

25 Nov 2024, 18:22

Last Modified

Vulnerability information updated

Description

The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.

CVSS Metrics

v4.0•HIGH•Score: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 39.57%• Percentile: 97%

Techniques & Countermeasures

CWE-22•Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

k8s.io•kubernetes
< 1.28.12 | ≥ 1.29.0, < 1.29.7 | ≥ 1.30.0, < 1.30.3
kubernetes•kubelet
≤ 1.28.11 | ≥ 1.29.0, ≤ 1.29.6 | ≥ 1.30.0, ≤ 1.30.2