CVE-2024-10220: Kubernetes Vulnerability Allows Arbitrary Command Execution
A high-severity vulnerability has been discovered in Kubernetes, potentially allowing attackers to execute arbitrary commands outside of container boundaries. Tracked as CVE-2024-10220 and assigned a CVSS score of 8.1, the flaw affects Kubernetes clusters running specific versions of kubelet.
The vulnerability exploits the gitRepo volume, a feature used to clone Git repositories into pods. By manipulating the hooks folder within a target repository, attackers can execute commands beyond the intended container restrictions.
“This vulnerability leverages the hooks folder in the target repository to run arbitrary commands outside of the container’s boundary,” explains the kubernetes issues. This could allow malicious actors to gain unauthorized access to sensitive data, escalate privileges, and compromise the entire Kubernetes cluster.
The affected versions of kubelet include:
- v1.30.0 to v1.30.2
- v1.29.0 to v1.29.6
- <= v1.28.11
To mitigate this vulnerability, Kubernetes users are urged to upgrade their clusters to one of the fixed versions:
As the gitRepo volume has been deprecated, the recommended solution is to migrate away from this feature. Kubernetes suggests performing Git clone operations using an init container and mounting the resulting directory into the pod’s container.
This vulnerability, originally disclosed in July, highlights the importance of staying informed about security updates and promptly applying necessary patches.
