CVE-2024-3177

Aliases:GHSA-pxhw-596r-rwq5GO-2024-2746CGA-rrj8-p3g2-2952CGA-hf9x-fxv8-4wr7
Advisory lineage Upstream: 0 Downstream: 10
Deferred
Published: 22 Apr 2024, 23:00
Last modified:10 Sept 2024, 20:48

Vulnerability Summary

Overall Risk (default)
low
12/100
CVSS Score
2.7 LOW
v3.1 (cve.org)
EPSS Score
8.42% LOW
8% probability +2.03%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

22 Apr 2024, 23:00
Published
Vulnerability first disclosed
10 Sept 2024, 20:48
Last Modified
Vulnerability information updated

Description

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.

CVSS Metrics

  • v3.1LOWScore: 2.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 8.42% Percentile: 92%

Techniques & Countermeasures

  • CWE-20Improper Input Validation

    The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

  • chainguardcalico-fips-3.25

    < 3.25.2-r5

  • k8s.iokubernetes

    < 1.27.13 | ≥ 1.28.0, < 1.28.9 | ≥ 1.29.0, < 1.29.4

  • kuberneteskubernetes

    ≤ 1.27.12 | v1.28.0 - v1.28.8 | v1.29.0 - v1.29.3

References (14)