CVE-2024-3177 (GCVE-0-2024-3177)

Vulnerability from cvelistv5 – Published: 2024-04-22 23:00 – Updated: 2024-09-10 20:48
VLAI
Title
Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin
Summary
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
Severity
2.7 (Low)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
Kubernetes Kubernetes Affected: 0 , ≤ 1.27.12 (semver)
Affected: v1.28.0 - v1.28.8
Affected: v1.29.0 - v1.29.3
Create a notification for this product.
Date Public
2024-04-16 10:00
Credits
tha3e1vl
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "kubernetes",
            "vendor": "kubernetes",
            "versions": [
              {
                "status": "affected",
                "version": "1.29.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3177",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-23T00:12:31.706727Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:33:03.250Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:05:07.568Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://github.com/kubernetes/kubernetes/issues/124336"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL54MTLGMTBZZO5PYGEGEBERTMADC4WC/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/16/4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Kubernetes",
          "vendor": "Kubernetes",
          "versions": [
            {
              "lessThanOrEqual": "1.27.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "v1.28.0 - v1.28.8"
            },
            {
              "status": "affected",
              "version": "v1.29.0 - v1.29.3"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "tha3e1vl"
        }
      ],
      "datePublic": "2024-04-16T10:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eA security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\u003c/div\u003e"
            }
          ],
          "value": "A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-554",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-554 Functionality Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-10T20:48:09.780Z",
        "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "shortName": "kubernetes"
      },
      "references": [
        {
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/kubernetes/kubernetes/issues/124336"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cdiv\u003eTo mitigate this vulnerability, upgrade Kubernetes: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\"\u003ehttps://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\u003c/a\u003e\u003c/div\u003e\u003c/div\u003e"
            }
          ],
          "value": "To mitigate this vulnerability, upgrade Kubernetes:  https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
    "assignerShortName": "kubernetes",
    "cveId": "CVE-2024-3177",
    "datePublished": "2024-04-22T23:00:39.702Z",
    "dateReserved": "2024-04-01T23:49:13.716Z",
    "dateUpdated": "2024-09-10T20:48:09.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-3177",
      "date": "2026-05-29",
      "epss": "0.08423",
      "percentile": "0.92456"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-3177\",\"sourceIdentifier\":\"jordan@liggitt.net\",\"published\":\"2024-04-22T23:15:51.180\",\"lastModified\":\"2024-11-21T09:29:05.083\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema de seguridad en Kubernetes donde los usuarios pueden lanzar contenedores que omiten la pol\u00edtica de secretos montables aplicada por el complemento de admisi\u00f3n ServiceAccount cuando usan contenedores, contenedores init y contenedores ef\u00edmeros con el campo envFrom completo. La pol\u00edtica garantiza que los pods que se ejecutan con una cuenta de servicio solo puedan hacer referencia a secretos especificados en el campo de secretos de la cuenta de servicio. Los cl\u00fasteres de Kubernetes solo se ven afectados si el complemento de admisi\u00f3n ServiceAccount y la anotaci\u00f3n kubernetes.io/enforce-mountable-secrets se usan junto con contenedores, contenedores init y contenedores ef\u00edmeros con el campo envFrom completo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"jordan@liggitt.net\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":2.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"jordan@liggitt.net\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://github.com/kubernetes/kubernetes/issues/124336\",\"source\":\"jordan@liggitt.net\"},{\"url\":\"https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ\",\"source\":\"jordan@liggitt.net\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/04/16/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/kubernetes/kubernetes/issues/124336\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL54MTLGMTBZZO5PYGEGEBERTMADC4WC/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://github.com/kubernetes/kubernetes/issues/124336\", \"tags\": [\"issue-tracking\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL54MTLGMTBZZO5PYGEGEBERTMADC4WC/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/04/16/4\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:05:07.568Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-3177\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-23T00:12:31.706727Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*\"], \"vendor\": \"kubernetes\", \"product\": \"kubernetes\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.29.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-04-23T00:10:53.094Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin\", \"source\": {\"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"tha3e1vl\"}], \"impacts\": [{\"capecId\": \"CAPEC-554\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-554 Functionality Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Kubernetes\", \"product\": \"Kubernetes\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.27.12\"}, {\"status\": \"affected\", \"version\": \"v1.28.0 - v1.28.8\"}, {\"status\": \"affected\", \"version\": \"v1.29.0 - v1.29.3\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"To mitigate this vulnerability, upgrade Kubernetes:  https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\u003cdiv\u003eTo mitigate this vulnerability, upgrade Kubernetes: \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\\\"\u003ehttps://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\u003c/a\u003e\u003c/div\u003e\u003c/div\u003e\", \"base64\": false}]}], \"datePublic\": \"2024-04-16T10:00:00.000Z\", \"references\": [{\"url\": \"https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://github.com/kubernetes/kubernetes/issues/124336\", \"tags\": [\"issue-tracking\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eA security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a6081bf6-c852-4425-ad4f-a67919267565\", \"shortName\": \"kubernetes\", \"dateUpdated\": \"2024-09-10T20:48:09.780Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-3177\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-10T20:48:09.780Z\", \"dateReserved\": \"2024-04-01T23:49:13.716Z\", \"assignerOrgId\": \"a6081bf6-c852-4425-ad4f-a67919267565\", \"datePublished\": \"2024-04-22T23:00:39.702Z\", \"assignerShortName\": \"kubernetes\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.