The Kubernetes community discovered the vulnerability CVE-2024-10220. This vulnerability allows users with permission to create a pod and associate a gitRepo volume to execute arbitrary commands beyond the container boundary. Attackers may exploit the hooks folder in the target Git repository to run arbitrary commands outside the container, facilitating command injection attacks.
The CVE-2024-10220 vulnerability is rated as high severity and its Common Vulnerability Scoring System (CVSS) score is 8.1. For more information about this vulnerability, see #128885.
Affected versions
The following kubelet versions are affected by this vulnerability:
v1.30.0 to v1.30.2
v1.29.0 to v1.29.6
v1.28.11 and earlier
This vulnerability is fixed in the following versions:
v1.31.0
v1.30.3
v1.29.7
v1.28.12
Vulnerability detection
You can use the following command to check whether this vulnerability has been exploited in your cluster.
This command lists all pods that have mounted a volume of type gitRepo and have cloned the repository into the .git
subdirectory in the pod.
kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.volumes[].gitRepo.directory | endswith("/.git")) | {name: .metadata.name, namespace: .metadata.namespace}'
Solutions
Since the gitRepo volume type is deprecated, the community recommends using an init container to perform the Git clone operation, and mount the directory into the container that runs the pod. For more information, see example.
By enabling the ACKBlockVolumeTypes policy in policy governance, you can restrict pods deployed in specified scopes in the cluster from using certain volume types. This can prevent pods from using gitRepo volumes, thereby limiting attackers from exploiting gitRepo volumes.
We recommend that you pay attention to the relevant ACK announcements and update node pools promptly. For more information, see Update a node pool.