CVE-2024-3177

EUVD-2024-1273
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
kubernetesCNA
2.7 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
kuberneteskubernetes
𝑥
≤ 1.27.12
CNA
Debian logo
Debian Releases
Debian Product
Codename
kubernetes
bookworm
1.20.5+really1.20.2-1.1+deb12u1
fixed
bullseye
1.20.5+really1.20.2-1
fixed
forky
1.33.4+ds-1
fixed
sid
1.33.4+ds-1
fixed
trixie
1.32.3+ds-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
kubernetes
focal
not-affected
jammy
not-affected
mantic
ignored
noble
not-affected
oracular
ignored
plucky
dne
Common Weakness Enumeration
References
https://github.com/kubernetes/kubernetes/issues/124336
https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ
http://www.openwall.com/lists/oss-security/2024/04/16/4
https://github.com/kubernetes/kubernetes/issues/124336
https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL54MTLGMTBZZO5PYGEGEBERTMADC4WC/