CVE-2024-7598

20.03.2025, 17:15

A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.1 LOW	ADJACENT_NETWORK	HIGH	NONE	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
kubernetes	CNA	3.1 LOW	ADJACENT_NETWORK	HIGH	NONE	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

kubernetes

bullseye	1.20.5+really1.20.2-1 fixed
bookworm	1.20.5+really1.20.2-1.1 fixed
sid	1.32.3+ds-1 fixed
trixie	1.32.3+ds-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

kubernetes

plucky	dne
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://github.com/kubernetes/kubernetes/issues/126587

https://groups.google.com/g/kubernetes-security-announce/c/67D7UFqiPRc

http://www.openwall.com/lists/oss-security/2025/03/20/2