A high-severity vulnerability has been discovered in Kubernetes, potentially allowing attackers to execute arbitrary commands outside of container boundaries.
The vulnerability tracked as CVE-2024-10220 with a CVSS score of 8.1, affects Kubernetes clusters running specific versions of kubelet.
The vulnerability exploits the gitRepo volume, a feature used to clone Git repositories into pods. By manipulating the hooks folder within a target repository, this could allow malicious actors to gain unauthorized access to sensitive data, escalate privileges, and compromise the entire Kubernetes cluster.
The affected versions of kubelet include:
- v1.30.0 to v1.30.2
- v1.29.0 to v1.29.6
- <= v1.28.11
Kubernetes users are urged to upgrade their clusters to one of the fixed versions:
- master/v1.31.0
- v1.30.3
- v1.29.7
- v1.28.12
As the gitRepo volume has been deprecated, the recommended solution is to migrate away from this feature. Kubernetes suggests performing Git clone operations using an init container and mounting the resulting directory into the pod’s container.
