FKIE_CVE-2026-24005

Vulnerability from fkie_nvd - Published: 2026-02-25 19:43 - Updated: 2026-03-05 00:42
Severity ?
0.0 (None) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Summary
Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. Since kruise-daemon runs with hostNetwork=true, it executes probes from the node network namespace. An attacker with PodProbeMarker creation permission can specify arbitrary Host values to trigger SSRF from the node, perform port scanning, and receive response feedback through NodePodProbe status messages. Versions 1.8.3 and 1.7.5 patch the issue.
References
security-advisories@github.comhttps://github.com/openkruise/kruise/commit/94364b76adf3e8a1749a31afe809a163bed29613Patch
security-advisories@github.comhttps://github.com/openkruise/kruise/releases/tag/v1.7.5Product, Release Notes
security-advisories@github.comhttps://github.com/openkruise/kruise/releases/tag/v1.8.3Product, Release Notes
security-advisories@github.comhttps://github.com/openkruise/kruise/security/advisories/GHSA-9fj4-3849-rv9gExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
openkruise kruise *
openkruise kruise *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openkruise:kruise:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D53D811F-DD4D-41A2-9B01-6627A7A3D657",
              "versionEndExcluding": "1.7.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openkruise:kruise:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A6B76A0-02C5-4E39-99B1-1C8BD3758257",
              "versionEndExcluding": "1.8.3",
              "versionStartIncluding": "1.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. Since kruise-daemon runs with hostNetwork=true, it executes probes from the node network namespace. An attacker with PodProbeMarker creation permission can specify arbitrary Host values to trigger SSRF from the node, perform port scanning, and receive response feedback through NodePodProbe status messages. Versions 1.8.3 and 1.7.5 patch the issue."
    },
    {
      "lang": "es",
      "value": "Kruise proporciona gesti\u00f3n automatizada de aplicaciones a gran escala en Kubernetes. Antes de las versiones 1.8.3 y 1.7.5, PodProbeMarker permite definir sondas personalizadas con manejadores TCPSocket o HTTPGet. La validaci\u00f3n del webhook no restringe el campo Host en estas configuraciones de sonda. Dado que kruise-daemon se ejecuta con hostNetwork=true, ejecuta sondas desde el espacio de nombres de red del nodo. Un atacante con permiso de creaci\u00f3n de PodProbeMarker puede especificar valores de Host arbitrarios para activar SSRF desde el nodo, realizar escaneo de puertos y recibir retroalimentaci\u00f3n de la respuesta a trav\u00e9s de mensajes de estado de NodePodProbe. Las versiones 1.8.3 y 1.7.5 parchean el problema."
    }
  ],
  "id": "CVE-2026-24005",
  "lastModified": "2026-03-05T00:42:25.553",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 0.0,
          "baseSeverity": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 0.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-25T19:43:21.163",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/openkruise/kruise/commit/94364b76adf3e8a1749a31afe809a163bed29613"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/openkruise/kruise/releases/tag/v1.7.5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/openkruise/kruise/releases/tag/v1.8.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/openkruise/kruise/security/advisories/GHSA-9fj4-3849-rv9g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.