CVE-2024-10220Path Traversal in Kubernetes

CWE-22Path TraversalCWE-653Improper Isolation or Compartmentalization9 documents7 sources
Severity
8.1HIGHNVD
EPSS
39.6%
top 2.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
KubernetesK8s.io KubernetesKubernetes Kubelet
Timeline
PublishedNov 22
Latest updateNov 27

Description

The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

CVEListV5kubernetes/kubelet1.29.01.29.6+2
Gok8s.io/kubernetes1.29.01.29.7+2
Debiankubernetes/kubernetes< 1.20.5+really1.20.2-1+3

🔴Vulnerability Details

5
OSV
Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes2024-11-27
OSV
CVE-2024-10220: The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes2024-11-22
OSV
Kubernetes kubelet arbitrary command execution2024-11-22
GHSA
Kubernetes kubelet arbitrary command execution2024-11-22
CVEList
Arbitrary command execution through gitRepo volume2024-11-22

📋Vendor Advisories

3
Microsoft
Arbitrary command execution through gitRepo volume2024-11-12
Red Hat
kubernetes: Arbitrary command execution through gitRepo volume2024-11-08
Debian
CVE-2024-10220: kubernetes - The Kubernetes kubelet component allows arbitrary command execution via speciall...2024
CVE-2024-10220 — Path Traversal in K8s.io Kubernetes | cvebase