cbcvebase.
CVE-2024-3177
published 2024-04-22

CVE-2024-3177: A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the…

PriorityP414low2.7CVSS 3.1
AVNACLPRHUINSUCLINAN
EPSS
2.22%
80.5th percentile
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.

Affected

20 ranges
VendorProductVersion rangeFixed in
debiankubernetes< kubernetes 1.20.5+really1.20.2-1 (bookworm)kubernetes 1.20.5+really1.20.2-1 (bookworm)
k8s.iokubernetes>= 0 < 1.27.131.27.13
k8s.iokubernetes>= 1.28.0 < 1.28.91.28.9
k8s.iokubernetes>= 1.29.0 < 1.29.41.29.4
kuberneteskubernetes<= 1.27.12
kuberneteskubernetes
kuberneteskubernetes
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
kuberneteskubernetes>= 0 < 1.20.5+really1.20.2-11.20.5+really1.20.2-1
msrcazl3_kubernetes_1.29.1-4_on_azure_linux_3.0
msrcazl3_kubernetes_1.30.1-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_kubernetes_1.28.4-18_on_cbl_mariner_2.0
msrccbl2_kubernetes_1.28.4-19_on_cbl_mariner_2.0
msrccbl2_kubernetes_1.28.4-21_on_cbl_mariner_2.0
msrccbl2_kubernetes_1.28.4-23_on_cbl_mariner_2.0
msrccbl2_kubernetes_1.28.4-25_on_cbl_mariner_2.0

CVSS provenance

nvdv3.12.7LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
osv2.7LOW
vendor_debian2.7LOW
vendor_msrc2.7LOW
vendor_redhat2.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.