cbcvebase.
CVE-2024-10220
published 2024-11-22

CVE-2024-10220: The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from…

PriorityP356high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
3.00%
85.7th percentile
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.

Affected

17 ranges
VendorProductVersion rangeFixed in
debiankubernetes< kubernetes 1.20.5+really1.20.2-1 (bookworm)kubernetes 1.20.5+really1.20.2-1 (bookworm)
k8s.iokubernetes>= 0 < 1.28.121.28.12
k8s.iokubernetes>= 1.29.0 < 1.29.71.29.7
k8s.iokubernetes>= 1.30.0 < 1.30.31.30.3
kuberneteskubelet<= 1.28.11
kuberneteskubelet1.29.0 – 1.29.6
kuberneteskubelet1.30.0 – 1.30.2
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
msrcazl3_kubernetes_1.30.1-4_on_azure_linux_3.0
msrcazl3_kubernetes_1.30.3-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_kubernetes_1.28.4-14_on_cbl_mariner_2.0
msrccbl2_kubernetes_1.28.4-17_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for git hooks execution on the host — the exploit leverages the hooks folder in the target repository cloned by the gitRepo volume to run commands on the host
  • ·Affected kubelet versions: through 1.28.11, 1.29.0–1.29.6, and 1.30.0–1.30.2. Clusters running these versions with gitRepo volumes enabled are exploitable.
  • ·The gitRepo volume type is the sole attack surface; clusters that do not use or permit gitRepo volumes are not exploitable via this CVE.
  • ·Mitigation (short of patching) is to enforce a ValidatingAdmissionPolicy that blocks gitRepo volume definitions in pod specs.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
osv8.1HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.