CVE-2024-10220
published 2024-11-22CVE-2024-10220: The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from…
PriorityP356high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
3.00%
85.7th percentile
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | >= 0 < 1.28.12 | 1.28.12 |
| k8s.io | kubernetes | >= 1.29.0 < 1.29.7 | 1.29.7 |
| k8s.io | kubernetes | >= 1.30.0 < 1.30.3 | 1.30.3 |
| kubernetes | kubelet | <= 1.28.11 | — |
| kubernetes | kubelet | 1.29.0 – 1.29.6 | — |
| kubernetes | kubelet | 1.30.0 – 1.30.2 | — |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| msrc | azl3_kubernetes_1.30.1-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.30.3-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_kubernetes_1.28.4-14_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-17_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for git hooks execution on the host — the exploit leverages the hooks folder in the target repository cloned by the gitRepo volume to run commands on the host ↗
- ·Affected kubelet versions: through 1.28.11, 1.29.0–1.29.6, and 1.30.0–1.30.2. Clusters running these versions with gitRepo volumes enabled are exploitable. ↗
- ·The gitRepo volume type is the sole attack surface; clusters that do not use or permit gitRepo volumes are not exploitable via this CVE. ↗
- ·Mitigation (short of patching) is to enforce a ValidatingAdmissionPolicy that blocks gitRepo volume definitions in pod specs. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
osv8.1HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Arbitrary command execution through gitRepo volume
vendor_msrc·2024-11-12·CVSS 8.1
CVE-2024-10220 [HIGH] CWE-22 Arbitrary command execution through gitRepo volume
Arbitrary command execution through gitRepo volume
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
kubernetes: kubernetes
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://
Red Hat
kubernetes: Arbitrary command execution through gitRepo volume
vendor_redhat·2024-11-08·CVSS 8.1
CVE-2024-10220 [HIGH] CWE-653 kubernetes: Arbitrary command execution through gitRepo volume
kubernetes: Arbitrary command execution through gitRepo volume
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
A flaw was found in the Kubelet component from the Kubernetes package. This flaw allows an attacker to create a pod and an associated gitRepo volume to execute arbitrary commands outside the container, bypassing the intended isolation between the container and the host.
Statement: This vulnerability is classified as important severity due to its potential to allow arbitrary command execution beyond the container boundary, which can lead to severe security breaches. By leveraging the hooks folder in the target repository a
Debian
CVE-2024-10220: kubernetes - The Kubernetes kubelet component allows arbitrary command execution via speciall...
vendor_debian·2024·CVSS 8.1
CVE-2024-10220 [HIGH] CVE-2024-10220: kubernetes - The Kubernetes kubelet component allows arbitrary command execution via speciall...
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
OSV
Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes
osv·2024-11-27
CVE-2024-10220 Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes
Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes
Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes
OSV
CVE-2024-10220: The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes
osv·2024-11-22·CVSS 8.1
CVE-2024-10220 [HIGH] CVE-2024-10220: The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
OSV
Kubernetes kubelet arbitrary command execution
osv·2024-11-22
CVE-2024-10220 [HIGH] Kubernetes kubelet arbitrary command execution
Kubernetes kubelet arbitrary command execution
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
GHSA
Kubernetes kubelet arbitrary command execution
ghsa·2024-11-22
CVE-2024-10220 [HIGH] CWE-22 Kubernetes kubelet arbitrary command execution
Kubernetes kubelet arbitrary command execution
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-22
Published