x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-27wf-5967-98gx #3286

GoVulnBot · 2024-11-22T23:01:23Z

Advisory GHSA-27wf-5967-98gx references a vulnerability in the following Go modules:

Module
k8s.io/kubernetes

Description:
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.

References:

Cross references:

k8s.io/kubernetes appears in 40 other report(s):
- data/excluded/GO-2022-0904.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8561, GHSA-74j8-88mm-7496 #904) NOT_IMPORTABLE
- data/excluded/GO-2022-0909.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25740, GHSA-vw47-mr44-3jf9 #909) NOT_IMPORTABLE
- data/excluded/GO-2022-0940.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8554, GHSA-j9wf-vvm6-4r9w #940) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1943.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-f4w6-3rh6-6q4q #1943) EFFECTIVELY_PRIVATE
- data/reports/GO-2021-0066.yaml (dummy issue #66)
- data/reports/GO-2022-0617.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qh36-44jv-c8xj #617)
- data/reports/GO-2022-0701.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jp32-vmm6-3vf5 #701)
- data/reports/GO-2022-0703.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78 #703)
- data/reports/GO-2022-0782.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-34jx-wx69-9x8v #782)
- data/reports/GO-2022-0802.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-6qfg-8799-r575 #802)
- data/reports/GO-2022-0867.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubelet/server: GHSA-qhm4-jxv7-j9pq #867)
- data/reports/GO-2022-0885.yaml (x/vulndb: potential Go vuln in k8s.io/kube-proxy: GHSA-wqv3-8cm6-h6wg #885)
- data/reports/GO-2022-0886.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/util/mount: GHSA-wqwf-x5cj-rg56 #886)
- data/reports/GO-2022-0890.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/volume/storageos: GHSA-x6mj-w4jf-jmgw #890)
- data/reports/GO-2022-0907.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25735, GHSA-g42g-737j-qx6j #907)
- data/reports/GO-2022-0908.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25737, GHSA-mfv7-gq43-w965 #908)
- data/reports/GO-2022-0910.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25741, GHSA-f5f7-6478-qm6p #910)
- data/reports/GO-2022-0983.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubectl: CVE-2021-25743, GHSA-f9jg-8p32-2f55 #983)
- data/reports/GO-2023-1492.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jx2-76rc-2v7v #1492)
- data/reports/GO-2023-1628.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-2394-5535-8j88 #1628)
- data/reports/GO-2023-1629.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jh36-q97c-9928 #1629)
- data/reports/GO-2023-1864.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-xc8m-28vv-4pjc #1864)
- data/reports/GO-2023-1891.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qc2g-gmh6-95p4 #1891)
- data/reports/GO-2023-1892.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-cgcv-5272-97pr #1892)
- data/reports/GO-2023-1946.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q4rr-64r9-fwgf #1946)
- data/reports/GO-2023-1959.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jq6-ffph-p4h8 #1959)
- data/reports/GO-2023-1977.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-mm7g-f2gg-cw8g #1977)
- data/reports/GO-2023-1985.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2h9c-34v6-3qmr #1985)
- data/reports/GO-2023-2159.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: CVE-2021-25736 #2159)
- data/reports/GO-2023-2170.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q78c-gwqw-jcmc #2170)
- data/reports/GO-2023-2330.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-7fxm-f474-hf8w #2330)
- data/reports/GO-2023-2341.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-hq6q-c2x6-hmch #2341)
- data/reports/GO-2024-2746.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-pxhw-596r-rwq5 #2746)
- data/reports/GO-2024-2748.yaml (x/vulndb: potential Go vuln in k8s.io/apimachinery: GHSA-33c5-9fx5-fvjm #2748)
- data/reports/GO-2024-2753.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubelet: GHSA-55qj-gj3x-jq9r #2753)
- data/reports/GO-2024-2754.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-5x96-j797-5qqw #2754)
- data/reports/GO-2024-2755.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-5xfg-wv98-264m #2755)
- data/reports/GO-2024-2780.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/cmd/kubelet: GHSA-r76g-g87f-vw8f #2780)
- data/reports/GO-2024-2994.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-82m2-cv7p-4m75 #2994)
- data/reports/GO-2024-3277.yaml (x/vulndb: potential Go vuln in github.com/openshift/kubernetes: CVE-2024-0793 #3277)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: k8s.io/kubernetes
      versions:
        - fixed: 1.28.12
        - introduced: 1.29.0
        - fixed: 1.29.7
        - introduced: 1.30.0
        - fixed: 1.30.3
      vulnerable_at: 1.30.2
summary: Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes
cves:
    - CVE-2024-10220
ghsas:
    - GHSA-27wf-5967-98gx
references:
    - advisory: https://github.com/advisories/GHSA-27wf-5967-98gx
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-10220
    - fix: https://github.com/kubernetes/kubernetes/commit/1ab06efe92d8e898ca1931471c9533ce94aba29b
    - report: https://github.com/kubernetes/kubernetes/issues/128885
    - web: http://www.openwall.com/lists/oss-security/2024/11/20/1
    - web: https://groups.google.com/g/kubernetes-security-announce/c/ptNgV5Necko
source:
    id: GHSA-27wf-5967-98gx
    created: 2024-11-22T23:01:23.120211955Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-11-27T18:45:00Z

Change https://go.dev/cl/632255 mentions this issue: data/reports: add 7 unreviewed reports

gopherbot · 2024-12-13T15:33:20Z

Change https://go.dev/cl/635759 mentions this issue: data/reports: review GO-2024-3286

- data/reports/GO-2024-3286.yaml Fixes #3286 Updates #3301 Change-Id: I9530c44251daaa221d883403800779477cd929de Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635759 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]>

tatianab added the triaged label Nov 27, 2024

gopherbot closed this as completed in 0073ceb Nov 27, 2024

GoVulnBot mentioned this issue Feb 13, 2025

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-jgfp-53c3-624w #3465

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-27wf-5967-98gx #3286

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-27wf-5967-98gx #3286

GoVulnBot commented Nov 22, 2024

gopherbot commented Nov 27, 2024

gopherbot commented Dec 13, 2024

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-27wf-5967-98gx #3286

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-27wf-5967-98gx #3286

Comments

GoVulnBot commented Nov 22, 2024

gopherbot commented Nov 27, 2024

gopherbot commented Dec 13, 2024