CVE-2024-9042
published 2025-03-13CVE-2024-9042: This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
PriorityP431medium5.9CVSS 3.1
AVNACHPRHUINSUCHIHAN
EPSS
1.39%
69.0th percentile
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | — | — |
| k8s.io | kubernetes | >= 0 < 1.29.13 | 1.29.13 |
| k8s.io | kubernetes | >= 1.30.0-alpha.0 < 1.30.9 | 1.30.9 |
| k8s.io | kubernetes | >= 1.31.0-alpha.0 < 1.31.5 | 1.31.5 |
| k8s.io | kubernetes | >= 1.32.0-alpha.0 < 1.32.1 | 1.32.1 |
| kubernetes | kubelet | — | — |
| kubernetes | kubelet | v1.30 – v1.30.8 | — |
| kubernetes | kubelet | v1.31 – v1.31.4 | — |
| kubernetes | kubelet | v1.32 – v1.32.0 | — |
| msrc | cbl2_kubernetes_1.28.4-18_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
vendor_debian5.9LOW
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API in k8s.io/kubernetes
osv·2025-03-25
CVE-2024-9042 Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API in k8s.io/kubernetes
Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API in k8s.io/kubernetes
Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API in k8s.io/kubernetes
GHSA
Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API
ghsa·2025-03-13
CVE-2024-9042 [MEDIUM] CWE-20 Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API
Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host. This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
OSV
Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API
osv·2025-03-13
CVE-2024-9042 [MEDIUM] Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API
Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host. This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
Microsoft
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
vendor_msrc·2025-03-11·CVSS 5.9
CVE-2024-9042 [MEDIUM] CWE-20 This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
kubernetes:
Red Hat
kubelet: Command Injection affecting Windows nodes via nodes/*/logs/query API
vendor_redhat·2025-01-15·CVSS 5.9
CVE-2024-9042 [MEDIUM] CWE-78 kubelet: Command Injection affecting Windows nodes via nodes/*/logs/query API
kubelet: Command Injection affecting Windows nodes via nodes/*/logs/query API
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
A flaw was found in Kubernetes Windows nodes. This vulnerability allows a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.
Statement: This CVE affects only Windows worker nodes. To detect whether this vulnerability has been exploited, you can examine your cluster's audit logs to search for node 'logs' queries with suspicious inputs.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deploymen
Debian
CVE-2024-9042: kubernetes - This CVE affects only Windows worker nodes. Your worker node is vulnerable to th...
vendor_debian·2024·CVSS 5.9
CVE-2024-9042 [MEDIUM] CVE-2024-9042: kubernetes - This CVE affects only Windows worker nodes. Your worker node is vulnerable to th...
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Suricata
ET WEB_SERVER Kubernetes NodeLogQuery Command Injection (CVE-2024-9042)
suricata·2025-12-11·CVSS 5.9
CVE-2024-9042 [MEDIUM] ET WEB_SERVER Kubernetes NodeLogQuery Command Injection (CVE-2024-9042)
ET WEB_SERVER Kubernetes NodeLogQuery Command Injection (CVE-2024-9042)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Kubernetes NodeLogQuery Command Injection (CVE-2024-9042)"; flow:established,to_server; http.uri; content:"/api/v1/nodes/"; fast_pattern; startswith; content:"/proxy/logs|3f|"; distance:0; content:"pattern|3d|"; pcre:"/^[^&]*?(?:[\x3b\x24\x60\x7c]|\x25(?:3[bB]|24|60|7[cC]))/R"; reference:url,www.sonicwall.com/blog/understanding-and-addressing-kubernetes-command-injection-cve-2024-9042-; reference:cve,2024-9042; classtype:web-application-attack; sid:2066290; rev:1; metadata:affected_product Kubernetes, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_11, cve CVE_2024_9042, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confid
No public exploits indexed.
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2024-9042 kubelet: Command Injection affecting Windows nodes via nodes/*/logs/query API
bugzilla·2025-01-13·CVSS 5.9
CVE-2024-9042 [MEDIUM] CVE-2024-9042 kubelet: Command Injection affecting Windows nodes via nodes/*/logs/query API
CVE-2024-9042 kubelet: Command Injection affecting Windows nodes via nodes/*/logs/query API
Windows nodes are vulnerable to a security issue that allows unauthorized command execution via the /logs endpoint, potentially compromising the host system.
This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
Affected Versions
* v1.32.0
* v1.31.0 to v1.31.4
* v1.30.0 to v1.30.8
* <=v1.29.12
To detect whether this vulnerability has been exploited, you can examine your cluster's audit logs to search for node 'logs' queries with suspicious inputs.
2025-03-13
Published